· 4 years ago · Aug 19, 2021, 04:50 AM
1AppSec Interview questions
2______________
3
4https://github.com/security-prince/Application-Security-Engineer-Interview-Questions
5
6https://wiki.owasp.org/index.php/Reviewing_Code_for_Data_Validation code rev
7
8
9Books To Read
10————————————
11API Security in Action by Neil Madden
12Threat Modeling Designing for Security by Adam Shostack
13The tangled Web a guide to securing modern Web applications by Michal Zalewski
14The Hacker Playbook 3 Practical Guide to Penetration Testing by Peter Kim
15Black hat Python Python programming for hackers and pentesters by Seitz, Justin
16The web application hacker’s handbook finding and exploiting security flaws by Dafydd Stuttard, Marcus Pinto
17Securing Devops Safe Services in the Cloud by Julien Vehent
18
19
20threat modelling / Code Review
21——————
22https://computer.howstuffworks.com/vpn.htm
23
24https://www.youtube.com/watch?v=DJ41leCuUm0 -
25
26https://www.youtube.com/watch?v=-LL4IE663ng -
27
28https://www.youtube.com/watch?v=Kepd1HsoE8o -
29
30https://www.youtube.com/c/CyberSecurityTV/videos
31
32https://pycharm-security.readthedocs.io/en/latest/checks/index.html
33
34https://www.youtube.com/watch?v=eQ1I0wzS8p0&t=3607s - code review
35
36
37
38Security Concepts
39___________________
40
41https://www.youtube.com/watch?v=heacxYUnFHA&t=663s - Cert Auth / Chain Of Trust
42
43https://www.youtube.com/watch?v=qXLD2UHq2vk - Digital Certs
44
45https://cwe.mitre.org/data/definitions/89.html SQL inj
46
47https://www.youtube.com/watch?v=mjQ2klZ0NQo - ssrf
48
49https://www.youtube.com/watch?v=nTCDQ0UmFgE&t=844s
50
51https://www.youtube.com/watch?v=2YD4vygeghM&t=278s - xss
52
53https://www.youtube.com/watch?v=ijalD2NkRFg - api security
54
55https://www.youtube.com/watch?v=zTkv_9ChVPY - api security
56
57https://www.youtube.com/watch?v=aQGbYfalRTA&t=1179s - better api sec
58
59https://www.youtube.com/watch?v=5UTHUZ3NGfw&t=3234s - more api sec lol
60
61https://www.youtube.com/watch?v=qqmyAxfGV9c - practical api sec
62
63https://www.youtube.com/watch?v=27i_husVE1I&t=8506s - ceh
64
65https://www.youtube.com/watch?v=jwzeJU_62IQ&t=35s - just check out his channel
66
67https://www.youtube.com/watch?v=plv7PQZICCM - aws kms
68
69https://www.youtube.com/watch?v=KGy_KCRUGd4&t=2565s - threat modelling
70
71https://www.youtube.com/watch?v=-LL4IE663ng - some more threat modelling
72
73https://www.youtube.com/watch?v=HnoZS5jj7pk&t=2467s - aws ddos
74
75https://www.youtube.com/watch?v=ClWw1znEUqI - threat modelling
76
77https://www.youtube.com/watch?v=We2cy8JwVqc&t=885s - excellent threat modelling
78
79https://www.youtube.com/watch?v=l4GtDZZFcA8 - mobile threat modelling
80
81https://www.youtube.com/watch?v=v0IsYNDMV7A&t=2391s - crypto stuff
82
83https://www.youtube.com/watch?v=lLeKTVobxDM&t=1763s - oauth
84
85https://www.youtube.com/watch?v=0VWkQMr7r_c&t=3624s - oauth
86
87https://www.youtube.com/watch?v=sovAIX4doOE&t=2s - HTTP cookies
88
89https://www.youtube.com/watch?v=SvppXbpv-5k&t=4s - saml2
90
91https://www.youtube.com/watch?v=rTzlF-U9Y6Y - openid
92
93https://www.youtube.com/watch?v=Tcvsefz5DmA - id mgmt
94
95https://www.youtube.com/watch?v=89mJSz5HVLA - just some nice chill music from cash carti
96
97https://www.youtube.com/watch?v=iYM2zFP3Zn0 - http crash course
98
99https://www.youtube.com/watch?v=UObINRj2EGY - get vs post
100
101https://www.youtube.com/watch?v=NEKImNnYB70&t=1130s - get vs post
102
103https://www.youtube.com/watch?v=2Nt-ZrNP22A&t=1604s - web socket
104
105https://www.youtube.com/watch?v=pdC3H8SX-F4 - owasp attacks
106
107https://www.youtube.com/watch?v=2EyfgogwbyI - security vulns in java
108
109
110
111https://content-security-policy.com/
112
113https://www.websecurity.digicert.com/en/ca/security-topics/how-does-ssl-handshake-work
114
115 https://www.jscape.com/blog/cipher-suites
116
117https://owasp.org/www-project-top-ten/
118
119https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
120
121https://www.securew2.com/blog/public-vs-private-certificate-authority
122
123certificate-authority
124
125https://www.mitre.org/publications/systems-engineering-guide/enterprise-engineering/systems-engineering-for-mission-assurance/secure-code-review#:~:text=Definition%3A%20A%20secure%20code%20review,(flaws)%20in%20the%20code./
126
127https://kinsta.com/blog/code-review-tools/
128
129https://owasp.org/www-community/attacks/xss/
130
131https://owasp.org/www-community/attacks/csrf
132
133https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences#:~:text=Difference%20Between%20Symmetric%20and%20Asymmetric,and%20decrypt%20messages%20when%20communicating.
134
135https://stackoverflow.com/questions/17954432/creating-a-daemon-in-linux
136
137http://www.netzmafia.de/skripten/unix/linux-daemon-howto.html
138
139http://shahmirj.com/blog/beginners-guide-to-creating-a-daemon-in-linux
140
141https://www.loggly.com/ultimate-guide/analyzing-linux-logs/
142
143https://opensource.com/article/19/4/log-analysis-tools
144
145https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/
146
147https://doubleoctopus.com/blog/the-ultimate-guide-to-man-in-the-middle-mitm-attacks-and-how-to-prevent-them/
148
149https://blog.securityinnovation.com/blog/2011/06/how-to-test-for-man-in-the-middle-vulnerabilities.html
150
151https://www.softwaretestinghelp.com/networking-interview-questions-2/
152
153https://www.beyondtrust.com/resources/glossary/systems-hardening
154
155https://superuser.com/questions/1324629/does-an-identical-cryptographic-hash-or-checksum-for-two-files-mean-they-are-ide
156
157
158https://doc.voluum.com/en/traffic_log_overview.html
159
160https://www.geeksforgeeks.org/write-regular-expressions/
161
162 https://www.beyondtrust.com/blog/entry/vulnerability-remediation-5-steps-toward-building-effective-process
163
164https://www.synopsys.com/glossary/what-is-threat-modeling.html
165
166https://www.csoonline.com/article/3315700/what-is-application-security-a-process-and-tools-for-securing-software.html
167
168https://www.guru99.com/tcp-3-way-handshake.html#:~:text=THREE%2DWAY%20HANDSHAKE%20or%20a,real%20data%20communication%20process%20starts.
169
170https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/
171
172https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/
173
174https://www.sciencedirect.com/topics/computer-science/three-way-handshake#:~:text=TCP%20uses%20a%20three%2Dway,as%20shown%20in%20Figure%203.8.
175
176https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/#:~:text=SYN%20flood%20attacks%20work%20by,process%20of%20a%20TCP%20connection.&text=The%20server%20then%20responds%20to,the%20packet%20from%20the%20server.
177
178https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work/20847#20847
179
180https://security.stackexchange.com/questions/5126/whats-the-difference-between-ssl-tls-and-https/5127#5127
181
182https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work/20851#20851
183
184https://www.softwaresecured.com/what-do-sast-dast-iast-and-rasp-mean-to-developers/#:~:text=SAST%2C%20or%20Static%20Application%20Security,for%20more%20than%20a%20decade.&text=DAST%2C%20or%20Dynamic%20Application%20Security,running%20application%2C%20typically%20web%20apps.
185
186https://handouts.secappdev.org/handouts/2017/Andrew%20Lee-Thorp/2017-03,%20SecAppDev,%20Threat%20Modeling%20Lab.pdf
187
188https://security.stackexchange.com/questions/tagged/threat-modeling
189
190https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
191
192https://study-ccna.com/arp/#:~:text=ARP%20(Address%20Resolution%20Protocol)%20is,device%20from%20an%20IP%20address.&text=All%20devices%20on%20a%20local,message%20containing%20its%20MAC%20address.
193
194https://www.osibeyond.com/blog/digital-certificate/
195
196https://www.cloudflare.com/learning/ddos/layer-3-ddos-attacks/
197
198https://myknowpega.com/404.html#:~:text=Server%20side%20validation%20is%20mainly,side%20validation%20is%20very%20secure.
199
200https://www.outsystems.com/blog/posts/asynchronous-vs-synchronous-programming/#:~:text=In%20synchronous%20operations%20tasks%20are,before%20the%20previous%20one%20finishes.
201
202 https://www.w3schools.com/whatis/whatis_ajax.asp
203
204https://www.optiv.com/explore-optiv-insights/blog/tactics-techniques-and-procedures-ttps-within-cyber-threat-intelligence#:~:text=Tactics%2C%20techniques%20and%20procedures%20(TTPs,how%20threat%20actors%20perform%20attacks.
205
206https://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch07_04.htm
207
208https://www.hostinger.com/tutorials/ssh-tutorial-how-does-ssh-work
209
210https://www.slashroot.in/secure-shell-how-does-ssh-work
211
212https://en.wikipedia.org/wiki/Secure_Shell_Protocol
213
214https://www.appviewx.com/education-center/what-are-ssh-keys/
215
216https://wifibond.com/2017/04/08/802-11-association-process/
217
218https://www.tutorialspoint.com/cryptography_with_python/cryptography_with_python_understanding_rsa_algorithm.htm
219
220https://www.comparitech.com/blog/information-security/rsa-encryption/
221
222https://www.isacybersecurity.com/elements-of-an-incident-response-plan/
223
224https://www.sciencedirect.com/topics/computer-science/capture-network-traffic
225
226https://en.wikipedia.org/wiki/Digital_signature
227
228https://www.tutorialspoint.com/cryptography_with_python/cryptography_with_python_one_time_pad_cipher.htm
229
230https://en.wikipedia.org/wiki/One-time_pad
231
232https://crypto.stackexchange.com/questions/810/what-is-the-difference-between-a-stream-cipher-and-a-one-time-pad#:~:text=One%2Dtime%2Dpads%20are%20theoretical,time%2Dpads%20what%20they%20are.&text=The%20most%20important%20difference%20is,stream%20ciphers%20have%20computational%20secrecy.
233
234https://stackoverflow.com/questions/10471009/how-does-the-man-in-the-middle-attack-work-in-diffie-hellman#:~:text=%22The%20Diffie%2DHellman%20key%20exchange,own%20public%20value%20to%20Bob.
235
236https://www.varonis.com/blog/what-is-oauth/#:~:text=OAuth%20doesn't%20share%20password,without%20giving%20away%20your%20password.
237
238https://www.jscape.com/blog/what-is-hmac-and-how-does-it-secure-file-transfers
239
240https://www.guru99.com/tcp-vs-udp-understanding-the-difference.html#:~:text=TCP%20is%20a%20connection%2Doriented,UDP%20uses%20no%20handshake%20protocols
241
242https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/general/ipsec_vpn_negotiations_c.html#:~:text=The%20main%20purpose%20of%20Phase,peers%20can%20negotiate%20Phase%202.&text=The%20purpose%20of%20Phase%202,encrypt%20and%20authenticate%20the%20traffic.
243
244https://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7
245
246https://www.cloudflare.com/learning/ssl/keyless-ssl/
247
248https://en.wikipedia.org/wiki/HTTP_cookie
249
250https://www.linkedin.com/posts/cybersecurity-news_complete-authentication-types-cyber-security-activity-6792150995611856896-qvLa
251
252https://stackoverflow.com/questions/2100356/is-it-secure-to-store-passwords-in-cookies
253
254https://github.com/OWASP/ASVS/raw/v4.0.2/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.2-en.pdf
255
256https://www.coveros.com/application-security-review-process-a-case-study/#:~:text=The%20application%20security%20process%20covers,have%20their%20respective%20quality%20gates.
257
258https://owasp.org/www-project-application-security-verification-standard/
259
260https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
261
262https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
263
264https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
265
266https://learn.isc2.org/d2l/home/8487
267
268https://www.codecademy.com/articles/what-is-rest
269
270https://www.redhat.com/en/topics/api/what-is-a-rest-api
271
272https://www.guru99.com/comparison-between-web-services.html#:~:text=SOAP%20stands%20for%20Simple%20Object%20Access%20Protocol%20whereas%20REST%20stands,REST%20is%20an%20architectural%20pattern.&text=SOAP%20only%20works%20with%20XML,can%20make%20use%20of%20SOAP.
273
274https://www.linkedin.com/posts/cybersecurity-news_complete-authentication-types-cyber-security-activity-6792150995611856896-qvLa
275
276https://portswigger.net/web-security/ssrf ***
277
278https://apisecurity.io/issue-56-common-jwt-attacks-owasp-api-security-top-10-cheatsheet/
279
280https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#local-storage
281
282 https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
283
284https://www.youtube.com/watch?v=SvppXbpv-5k
285
286https://www.youtube.com/watch?v=lLeKTVobxDM
287
288https://en.wikipedia.org/wiki/SAML_2.0
289
290https://martinfowler.com/articles/agile-threat-modelling.html
291
292https://techgenix.com/understanding-man-in-the-middle-attacks-arp-part1/
293
294https://snyk.io/learn/secure-sdlc/
295
296https://crypto.stackexchange.com/questions/6523/what-is-the-difference-between-mac-and-hmac#:~:text=The%20term%20%22MAC%22%20can%20refer,MD5%20or%20SHA256)%20into%20MACs.
297
298https://www.opensecurityarchitecture.org/cms/foundations/osa-taxonomy
299
300http://examples.complianceforge.com/ComplianceForge%20Hierarchical%20Cybersecurity%20Governance%20Framework.pdf
301
302https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties
303
304https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
305
306https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf
307
308https://medium.com/@paul_io/attack-grams-137d99772d07
309
310https://medium.com/@paul_io
311
312https://aws.github.io/aws-eks-best-practices/security/docs/
313
314https://dzone.com/articles/all-you-need-to-know-about-user-session-security
315
316https://portswigger.net/web-security/all-materials
317
318https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
319
320https://github.com/OWASP/DevGuide
321
322https://www.smashingmagazine.com/2017/04/secure-web-app-http-headers/
323
324https://tonyarcieri.com/all-the-crypto-code-youve-ever-written-is-probably-broken
325
326https://medium.com/hackernoon/10-common-security-gotchas-in-python-and-how-to-avoid-them-e19fbe265e03
327
328https://medium.com/@dhanukaperera/csrf-with-synchronizer-token-pattern-a4af534d1764
329
330https://www.audienceplay.com/blog/hashing-vs-encryption-vs-salting-vs-encoding/
331
332https://portswigger.net/web-security/csrf
333
334
335https://devopedia.org/secure-coding-with-python
336
337https://py.checkio.org/blog/how-to-write-secure-code-in-python/
338
339https://realpython.com/prevent-python-sql-injection/
340
341https://pycharm-security.readthedocs.io/en/latest/checks/index.html
342
343 https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/
344
345
346
347AWS Culture
348—-——
349https://www.youtube.com/watch?v=HC2S7VKh2VY
350https://www.youtube.com/watch?v=rei30obkaBc
351https://www.youtube.com/watch?v=oam8FDNJhbE
352
353
354LP
355________
356
357https://www.youtube.com/watch?v=2HYBPKDZda0&t=1580s - meh
358
359Use dan croissant or whatever his name is, great guy though
360
361https://interviewgenie.com/blog-1/2018/12/11/how-to-answer-amazon-are-right-a-lot-leadership-principle-interview-questions
362
363https://interviewsteps.com/blogs/news/amazon-leadership-principles-interview?page=2
364
365https://leetcode.com/discuss/interview-question/437082/Amazon-Behavioral-questions-or-Leadership-Principles-or-LP
366
367https://b-ok.cc/dl/3328693/72fad0
368
369https://theinterviewguys.com/amazon-interview-questions/
370
371https://www.nailyourjobinterview.com/deconstruct-amazon-virtual-onsite-loop-behavioral-questions/
372
373
374https://www.teamblind.com/post/Amazon-LP-interview-questions-RiwtSu0o
375
376https://managementconsulted.com/amazon-leadership-principles/
377
378https://quizlet.com/279919521/amazon-2-flash-cards/#
379
380https://www.glassdoor.ca/Interview/Amazon-Interview-Questions-E6036.htm
381
382https://www.tryexponent.com/questions?company=amazon&type=behavioral&src=dashboard
383
384—————————————————————
385
386Interview Questions
387 • How is pad lock icon in browser generated?
388 • How does DNS works?
389 • Explain symmetric and asymmetric encryption?
390 • Applications of symmetric and asymmetric encryption?
391 • Name some cryptographic algorithms?
392 • What is SQL Injection?
393 • What is CSRF?
394 • What is Private Forward Secrecy?
395 • How would you detect malicious activity in Amazon ELB?
396 • How Amazon Guard Duty works?
397 • What is ciphersuite?
398 • Explain working of TLS?
399 • How is ciphersuite exchanged in TLS?
400
401
4021. Manual code review in either Java, C# or Python.
4032. Properties of TLS. What it supports. (Basically everything about it except for explaining the TLS handshake. Which was strange that the interviewer did not want that explaination)
4043. Manual threat model.
4054. API implementation and design.
4065. Authentication for APIs
4076. Implementing TLS
4087. Securing a SQL DB
4098. CSRF
4109. SQL Injection
41110. Cipher Suites
41211. Hashing vs Encryption
413
414
415Leadership principals are very important. More than you think.
416Jul 5, 2020
417
418For the phone screen make sure the following things are clear:
4191. Appsec basics (owasp top 10)
4202. Pick a domain area such as crypto or networking or something and make sure that is really good
4213. They will give you a threat model so make sure you can enumerate the threats (follow STRIDE or STARLORD)
4224. Talk about any automation or tools or scripts you have written in your present role.
423
424For the non-tech part, here is a good starting point to prepare for behavioural questions - https://d1c.io/blog
425
426@WFwz66
427Round 1-
428This is a screener, interviewer was 25+ years experience, more than 10 in amazon
429
430What happens when you type amazon.com,
431you should be able to explain TCP handshake in detail , SYN flood and remediations were asked, ARP,DNS, DHCP, SSL handshake and SSL attacks (refer thomas pornin answer on stack exchange), etc as deep as possible.
432
433SAST vs DAST
434
435Explain SDLC - i explained threat modelling, shifting security left, security in CI/CD pipeline, etc
436
437Round 2(Screener)
438
4391- situation you met a goal above and beyond - spoke about a tool i have written and got it deployed with hundreds of users per day
4402-taken a decision without higher up approval, risk taking
441
442Scenario of mobile app , Web app and database
4432 controls each to protect each level
444
445We did some detailed threat modelling here
446
447After Round 2(Screener)- They scheduled 5 rounds all video conferencing in a single day
448
449Final Round 1- Risk manager interviewing on Leadership principles - Failed this one
450
451Somehow got stuck failing to find right examples for these questions.
452
453When you had little data but yet had to deliver a project, how did you handle
454Explain a use case where you found multiple issues in a product in a single review, how did you assign risk to the issues found
455What risk frameworks do you use?
456
457Final Round 2- This was a Bar Raiser Round by a Senior Security Engineer - This went quite well
458
459How do you convince developers when they refuse to accept your security recommendations, how do you reach a common ground
460Some more leadership questions
461
462Final Round 3- Cloud Security basics and Network Security - I failed this one
463
464Usually they start from Basic and Drill as far as possible
465TCP/IP , UDP Differences in depth.Normal high level answers not enough.
466TCP handshake, SYN /ACK Flood attack remediations , they might ask you further questions and challenge your answers.
467You should be able to explain error detection and error corrections mechanisms etc for both. - I couldn’t remember these concepts in depth, this was the one that i failed at.
468
469MAC address- ARP in detail and ip address
470Detailed questions on DHCP, does static ip address require DHCP
471DDOS attack and remediations- L3, L4,L7, refer https://www.cloudflare.com/learning/ddos/layer-3-ddos-attacks/
472I explained how a CDN can absorb all the attacks before they reach target server.- Not sure if he was satisfied
473
474Questions on Cloud Security:- IAM policy differnces, why is IAM better - probably was looking for knowledge on STS
475
476Final Round 4 - Application Security - Aced this one
477Most of OWASP Top 10 and remediations
478couple of cases of threat modelling
4791- case of an email exchange server
4802- a simple chat app
481Couple of leadership principles- Anything you have done innovative recently, how do you keep urself updated.
482
483Final Round 5 - Hiring Manager - This one Went well
484
485Leadership Questions:- When was the last time you were asked to submit a project under tight deadlines.How did you manage.
486Suppose you have to attend to issue of CEO who got phished vs zero day in your product which is public.
487
488Result:- 5 interviews happened on Friday, they gave result on Monday Evening,quite fast
489Overall Positive but since i couldn’t clear Network Security competency , i was not selected.
490
491
492
493What is the difference between client-side and server-side input validation and what is each used for?
What is XSS?
494
495What are asynchronous requests and when does it make sense to use them? What is AJAX? What is the testing process you use for your UI code? Unit testing? Integration testing?
496
497
498Describe the last program or script that you wrote. What problem did it solve?
499
500What happens when I type ssh for hostA & hostB
501
502What happens when I type amazon in the browser
503
504
505
506Threat modelling – what is it? Why is it important?
507
508Are you familiar with any of the more common techniques for threat modeling? What are they?
509
510What is XSS?
511
512What is SQL injection?
513What is cross-site request forgery?
514
515Give me your personal definition of cryptography
516Differentiate encryption and signing.
517
518Difference asymmetric and symmetric cryptography.
519Pros/Cons of asymmetric/symmetric
520PKI
521
522SSO; OpenID, SAML, OAuth
523
524
525——————
526
527
528Top 10 OWASP vulnerabilities
529Threat
530Risk
531Remediation
532
533Explain OWSAP Top 10 and VPN connection
534
535Technical:
536Hashing vs. Encryption?
537Symmetric vs Asymmetric? Examples of each?
538OWASP Top 10 and how to prevent them
539Hashing scenario problem
540Authentication scenario problem
541Session management scenario problem (CSRF)
542Certificate Authority
543DNS
544Recent hacks/news around cybersecurity
545
546Behavioral:
547Why Amazon?
548Tell me about a goal and the steps you took the accomplish
549Tell me about a time you went through a personal obstacle or challenge
550Tell me about your favorite project
551Tell me about a time when you took on something you weren’t required to do
552
553
554- In my case it was more about coding, code review and situational questions.
555
556
557
558It was good I think, they do not ask traditional questions, they gave me a situation and asked my approach. First interview successful for me, second interview a little bit difficult I think. I had a task to complete in an hour.
559
560What do you do, the incident reported firefox version was infected by malware.
561
562What is XSS vulnerability?
563What is SQL Injection vulnerability?
564What is CSRF vulnerability?
565Difference between symmetric and asymmetric key?
566More 3-4 similar questions
567
568I was contacted by a recruiter.
569We've quickly arranged a phone interview. It lasted one hour, the interviewer was very pleasant. The questions were mainly about network security, what happens when you type in "amazon.com", intercepting traffic, TLS, Unix and access rights. One question was behavioural, one of the classic questions you can find on the Internet.
570No one got back to me for several days. After a reminder, I was told I've passed, so we've arranged another interview. The second interview went for 2 hours, one-hour behavioural, one-hour technical task. Technical had three parts to it: writing a daemon for a task, analyzing a network dump and parsing a log file. The tasks are fairly easy, but time-consuming if you don't do them on a daily basis.
571Got a rejection email in a few days. I've asked two small follow-up questions - no one cared to respond to this day, even after a reminder.
572I wasn't asked a single question about web security or SDLC for an Application Security position, which I find very surprising.
573In general, the aftertaste is that people are uninterested and arrogant, apart from the first phone interview which was nice and friendly. Technical tasks and questions are okay for a knowledgeable person.
574
575
576How to intercept traffic between a victim and a webserver?
577
578Security fundamental questions: OWASP top10, crypto algorithms, network protocols, one project in detail from your resume (I explained password cracker)
579Penetration testing,
580log monitoring,
581server security hardening questions (all were scenario-based)
582previous experience and projects
583
584
585First round was a phone interview with an AWS Security Engineer. It lasted an hour and covered network protocols, TLS/UDP, DNS etc and also threat modelling scenario.
586
587I found out the next day that I had moved onto the next round (the Amazon loop) this was with 5 Amazon employees across software engineering and security teams, 1 was the hiring manager. Each round focused on behavioural questions (Amazon Leadership Principles) and technical questions. The technical questions covered usual network security questions, code review and threat modelling.
588
589I felt a bit out of depth in some areas, but 4/5 people I interviewed with were patient and taught me something new which I appreciated. There was 1 engineer that kept interrupting me and it felt more like an interrogation than an interview at one point but maybe I just wasn’t staying inline with what they were asking.
590
591Overall, even though I wasn’t successful I got some great advice and guidance from the interviewers. It’s a long day of interviewing (5 hours) so it’s good to get something out of it at least.
592
593In depth scenario about how I might find evidence of malicious activity within the AWS EBS service. Interviewer used almost the whole hour to dig in on this.
594
595Can two files generate same checksum?
596
597What would you use to order a log of traffic by date?
598
599Basic questions: what is encryption, how does authentication work, describe Unix fundamentals, how does Hashing work, describe how a for loop works.
600
601Recruiter contacted me first, and scheduled a technical phone interview. The phone interview was about an hour, with a coding/scripting question (~ 20 mins) and some general questions about my experience/skills based on the resume. (~ 30 mins)
602I didn't pass the phone interview but I already had an offer from another company.
603
604a simple coding/scripting question (language of your choice)
605general questions about my experience/skills based on the resume
606didn't have the 14 principle questions
607
608Do you have experience in writing REGEX?
609
610Take us through a process in which you found a security vulnerability in a product and "owned" the remediation of the vulnerability end to end. (asked 5+ times)
611
612Two rounds of face-to-face interview.
613First round was technical. Basic cryptography, privacy, OS sec, Pentesting,security tools, projects, certifications, experience etc.
614Second was leadership and behavioral round (based on Amazon's 14 leadership principles).
615
616Scenario based questions. "How would you exploit a system with these protections applied?"
617
618
619
620The interview process started with an engineer asking about previous experience and few technical questions. Second interview was related to threat modelling- something that I had never done in real life. I was never given any context about what kind of question is going to be on the interview. I was told that this was for an entry level position and I was surprised that the interviewer expected me to be on same level as him (He had ~10 years of experience)
621
622
623I didn't feel bad about failing the interview because it felt like they didn't have clear idea about the responsibilities of the position. And the process didn't feel humane at all.
624
625My advice would be to know your candidates background before interviewing. Interviewers should know what level of knowledge is expected for a particular position. Time is important.
626
627
628After initial phone calls and emails with the recruiting coordinator, I had two 1-hour technical phone interviews before going in for a day of 5 in-person interviews. Unfortunately, one of the interviewers could not call in that day so I had to wait and do another 1-hour phone interview 3 days later. The interviews consisted of both in-depth technical questions and situational/behavioral questions. The interviewers came from both the group I was trying to join and other groups who didn't know what that group did.
629
630
631Interview
632Received random interviews which mostly didn't relate to the position that I was being interviewed. Talked to managers about some targeted pdf attack that they received and how I would defend against it if the opportunity cost was infinite dollars for the attack.
633
634At one point I was abandoned in a break/lunch room for an hour for me to entertain myself with my phone. Someone found me eventually.
635
636
637They wanted to know about my ideas about digital currency and how I, without any recon or knowledge of Amazon infrastructure, would hack them.
638
639I contacted AWS after reading an ad I'd seen on LinkedIn. The HR person called to set up the first phone screen interview and provided various documents including a consent for criminal records check and a statement of the Amazon values. These, I learned, are the cult truths that must be internalized by all new devotees.
640
641First telephone screen was technical and would be conducted by a senior engineer and took an hour. I should confess I knew little about AWS so I was a little wrong-footed because they opened with questions about their business offering. Then it got onto tech questions "How would you do X?", "Explain what happens (in as much detail as possible) when a user does Y?" and so on. Since this was a security screen there were basic crypto and similar questions. I found that enjoyable and my interviewer told me I'd definitely be going forward. It took two weeks before I heard from HR and it was another phone screen - this time with a manager.
642
643The second phone screen also asked some technical questions but the focus was different and considered me as a person and y work history. This was also scheduled to take an hour. I got a chance to explain my experience and to listen to some of the corporate speil. It is clear that internalizing the Amazon values is core to acceptance. Again a positive verbal feedback and another two week wait.
644
645Next up was the face-to-face meetings and they lined up five one-hour interviews with various senior people. For this they flew me interstate. Each interview had a different focus and they were largely enjoyable and interesting. I got to ask questions but a combination of time constraints and not wanting to appear picky meant I didn't get to ask enough questions to satisfy myself as to what I'd actually do. I got a clear impression that they equate hours with effort and that work/life balance is tilted in favor of work. They also did not meet my interview expenses (I'd incurred about 100$ for taxis etc.) and I thought that a bit cheap. I also was left in no doubt that on-calls will feature heavily and travel to Seattle will happen reasonably often. Another two weeks before the offer materialized.
646Interview Questions
647 • I had no troubles with any of the tech questions but I defintiely got one wrong (altho I hinted it was more of a guess than knowledge) and couldn't answer another. The most difficult were business questions as they have fewer obviously correct answers.
648
649* Use ressource such as The Web Application Hacker handbook
650* Review all the OWASP classes of security bugs and make sure you are able to explain by heart each notion
651Train yourself to be positive
652Make your you performed at least all LC easy and many LC medium.
653
654
655
656
657
658
659