Interview Structure
Security engineer interviews typically cover: security fundamentals, hands-on exercises, system design, and behavioral scenarios.
Core Knowledge Topics
Cryptography
Understand encryption algorithms and their properties:
Interview question: Implement a secure password hasher
import hashlib
import os
def hash_password(password):
"""Hash password with bcrypt (the correct answer)"""
import bcrypt
salt = bcrypt.gensalt(rounds=12)
return bcrypt.hashpw(password.encode(), salt)
Follow-up: Why not SHA-256?
Answer: SHA-256 is fast, making brute-force feasible.
bcrypt/argon2 are deliberately slow and include salt.
Follow-up: What about MD5?
Answer: MD5 is broken for collision resistance. Never use.
Network Security
Interview question: Implement a simple port scanner
import socket
def scan_port(host, port, timeout=1):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(timeout)
result = sock.connect_ex((host, port))
sock.close()
return result == 0
Follow-up: How would you scan without being detected?
Answer: Use SYN scan (stealth scan), randomize port order,
and introduce delays between probes.
System Design Questions
Design a Secure Authentication System
High-level design
class SecureAuthSystem:
components = [
"Rate limiter (token bucket per IP)",
"Account lockout (5 failures, 15 min lockout)",
"MFA enforcement (TOTP preferred)",
"Session management (JWT, short-lived)",
"Anomaly detection (new device/location)",
"Audit logging (immutable, SIEM-forwarded)"
]
def login_flow(self):
return {
"1": "Validate credentials (bcrypt compare)",
"2": "Check rate limits",
"3": "Verify MFA if enabled",
"4": "Check for suspicious context",
"5": "Generate session tokens",
"6": "Log authentication event"
}
Design a Secrets Management System
Requirements:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- Store secrets encrypted at rest (AES-256-GCM)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- Access control (RBAC)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- Audit logging
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- Automatic rotation
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- High availability
Data flow:
1\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. Client request -> API Gateway -> Auth check
2\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. Auth check -> JWT validation -> Permission check
3\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. Permission check -> Key hierarchy -> Decrypt secret
4\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. Return secret (with audit log)
Key hierarchy:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- Master key (HSM/KMS)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- Database encryption keys
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- Secret encryption keys
Practical Exercise
Exercise: Security incident investigation
incident_logs = [
{"time": "10:00", "user": "alice", "event": "login", "ip": "192.168.1.1"},
{"time": "10:01", "user": "alice", "event": "login_failed", "ip": "10.0.0.5"},
{"time": "10:02", "user": "alice", "event": "login_failed", "ip": "10.0.0.5"},
{"time": "10:03", "user": "alice", "event": "login_failed", "ip": "10.0.0.5"},
{"time": "10:04", "user": "alice", "event": "login_failed", "ip": "10.0.0.5"},
{"time": "10:05", "user": "alice", "event": "login_success", "ip": "10.0.0.5"},
{"time": "10:06", "user": "alice", "event": "export_data", "ip": "10.0.0.5"},
{"time": "10:07", "user": "alice", "event": "delete_logs", "ip": "10.0.0.5"},
]
Questions:
1\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. What indicators of compromise do you see?
2\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. What is the likely attack vector?
3\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. What immediate containment actions?
4\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\. What forensic data would you collect?
Analysis:
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- IP change: 192.168.1.1 (corp) -> 10.0.0.5 (internal)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- Brute force pattern: 4 failed logins
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- Suspicious actions after login: data export + log deletion
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\- Likely: credential stuffing -> account takeover -> data exfiltration
Behavioral Questions
Be prepared to discuss:
-
A time you found a critical vulnerability
-
How you convinced developers to fix security issues
-
A security incident you handled
-
How you stay current with security research
-
Conflict between security and business needs
Resources for Preparation
Study these areas in depth: OWASP Top 10, cloud security (AWS/GCP/Azure), network protocols, cryptography fundamentals, and compliance frameworks. Practice with hands-on labs and capture-the-flag challenges. Be ready to whiteboard system designs and discuss real-world threat scenarios.
Enjoy this article? Share your thoughts, questions, or experiences in the comments below — your insights help other readers too.
Join the discussion ↓