Security Engineer Interview Prep Guide

Use STRIDE framework: Spoofing (implement MFA, certificate pinning), Tampering (code signing, integrity checks), Repudiation (comprehensive audit logging), Information Disclosure (encryption at rest and in transit, token-based auth), Denial of Service (rate limiting, CDN), Elevation of Privilege (least privilege, sandboxing). Draw the data flow diagram first, identify trust boundaries, and prioritize threats by risk (likelihood x impact).

SSRF allows an attacker to make the server send requests to internal resources. In cloud environments, this is critical because it can access the metadata service (169.254.169.254) to steal IAM credentials, access internal services, and move laterally. Remediation: validate and sanitize URLs, use allowlists for permitted domains, disable HTTP redirects, use IMDSv2 (requires session token), network segmentation with private subnets, and WAF rules for SSRF patterns.

Cover the pillars: identity verification (strong auth, MFA everywhere), device trust (posture assessment, MDM), network microsegmentation (no implicit trust based on network location), application security (mTLS between services), data protection (encryption, DLP), and continuous monitoring (SIEM, UEBA). Discuss the implementation phases: start with identity, then network segmentation, then workload protection. Reference NIST SP 800-207 for the framework.

Evaluate: license compliance, maintenance activity (last commit, number of maintainers), known vulnerabilities (Snyk, OSV), dependency tree analysis (transitive dependencies), code quality review for critical functionality, supply chain risk (typosquatting, maintainer compromise history), and SBOM integration. Set up automated scanning in CI/CD with Dependabot or Renovate. Discuss the difference between accepting risk and mitigating it for business-critical functionality.

Implement a focused scanner in Python: test for SQL injection with single quote and UNION payloads, reflected XSS with script tag injection, and check security headers (CSP, HSTS, X-Content-Type-Options, X-Frame-Options). Parse responses for error messages indicating injection success. Discuss why automated scanning is necessary but insufficient (logical flaws, business logic vulnerabilities) and how this complements manual testing.

OAuth 2.0 is an authorization framework; OIDC adds authentication on top. JWTs carry claims and are signed (JWS) or encrypted (JWE). PKCE prevents authorization code interception for public clients. Common mistakes: storing tokens in localStorage (XSS risk), not validating JWT signatures, using symmetric signing keys shared across services, not implementing token rotation, accepting alg:none, and using authorization code flow without PKCE for SPAs.

Follow NIST IR framework: 1) Identify: confirm the breach, assess scope (which data, how many records). 2) Contain: revoke compromised credentials, isolate affected systems, preserve evidence. 3) Eradicate: identify entry point, patch vulnerability, remove attacker persistence. 4) Recover: restore from clean backups, monitor for re-entry. 5) Lessons learned: blameless postmortem, improve detection and prevention. Discuss communication: legal counsel, regulatory notification requirements (GDPR 72 hours), and customer notification.

Implement security gates at appropriate stages: SAST (static analysis) on pull requests with fast scanners (Semgrep), SCA (dependency scanning) on dependency updates, secrets scanning pre-commit, DAST in staging environments, container image scanning before deployment, and IaC scanning for misconfigurations. Key principle: fail fast with actionable feedback. Only block on critical/high severity. Provide fix guidance in the PR comment. Track mean time to remediate, not just vulnerability count.