Software Integrity

 

Web AppSec interview questions every company should ask

So, you’re looking to hire a new Web application security team member? You’ve found a promising entry or mid-level candidate (depending on the open position you’re looking to fill) with a suitable professional background. During the phone screening, they claim to have a ninja-level knowledge of security, and seem ready to dodge any challenges you might throw their way. Is that so? As the interviewer, you’re thinking “challenge accepted!”

You decide to bring this confident, enthusiastic candidate in for an interview. Let’s start by testing their general IT knowledge, shall we?

Interview challenge #1: The basics

Start off the interview by testing the candidate to ensure that they understand how websites work in general. Here, you’re probing to ensure they have a fair understanding of protocols, networking layers, browsers, servers, databases, data at rest, data in transit, and the like.

Here are a few classic interview questions to gather their understanding on these topics:

  • Question (scenario): Explain what happens when ‘google.com’ is entered in a browser’s address bar.

This is a very open-ended question. The right answer varies as per the job requirements. But in general, the candidate should have a fair understanding of DNS, DHCP, ARP, TCP and SSL/TLS handshakes, proxy, cookies, session management, HTTP methods, GET/POST, etc.

  • Question: Are you a Mac/Windows/Linux person? Which OS is most secure?

Trick question! No OS is completely secure and a lot depends on how is it patched, configured, and managed. Follow-up questions can be asked on OS hardening, patching, configuration management, etc.

*TIP: Start with open-ended questions and then drill down into the specifics based on the candidate’s responses and job requirements. Trivia questions like ‘what is the port number for SMTP?’ are not recommended.*

Interview challenge #2: Network security

Now that you’ve covered the basics, let’s establish an understanding of their network security knowledge.

The candidate has probably been throwing out various network terminology. Now might be a good time to ask “so, how would you hack it?” Skills in network security are essential for an astute application security professional. The candidate should know about the common exploits and remediation related to networks. Here are some relevant network-related questions for your candidate:

  • Question: How would you perform a network reconnaissance?

Here, you’re looking for awareness of basic tools and network commands—namely nmap, nessus, ping, traceroute, nslookup, etc.

  • Question (scenario): Let’s say you are a Web administrator for HandlingMoreTrafficThanFacebook.com. How would you prevent a DDoS attack on the website?

This could be a stress question, especially if the candidate does not have a networking or admin background. All you’re looking for here is the basic understanding of how networks work and what can be done to prevent unsolicited requests to your website—using things such as throttling, load balancers, smart firewalls, bandwidth flexibility, third-party content delivery network providers, etc.

  • Question (scenario): You’re sitting at a Starbucks enjoying a macchiato and free public Wi-Fi. How would you go about hacking other people on the network?

You may ask the candidate to think like an attacker. You’re looking for a well-thought-out approach and things like packet sniffing (Wireshark), man-in-the-middle attacks (like the WPAD attack), eavesdropping on unencrypted data, Metasploit framework and tools, etc.

*TIP: Cover all 3 things related to a vulnerability: the root cause, the actual attack, and the defense mechanisms.*

Interview challenge #3: Web application security

And without any further ado, let’s proceed to the core challenge.

Now is the time to test your candidate’s knowledge on common Web-based attacks and their familiarity with taxonomies like the OWASP Top 10, describing attacks such as SQL injection, XSS (cross-site scripting), CSRF (cross-site request forgery), directory traversal, LDAP/XML/command injection, clickjacking, remote file inclusion, remote code execution, buffer/integer/heap overflows, etc. Hundreds of questions can be formulated on this category alone; however, since there is only limited time to assess the candidate, consider questions where you’ll be able to understand their thought process:

  • Question: Which approach is bettera manual security test or an automated security test?

Short answer: It depends. Long answer: We don’t have a clear winner so the candidate should compare the pros and cons of both and describe a balanced approach.

  • Question: What is the difference between white box and black box testing? Which is better?

Trick question, especially the “which is better” part. It depends on a host of factors such as cost, time, team’s requirements, code availability, stage of SDLC, etc.

  • Question: Explain a DOM-based cross-site scripting attack.
  • Question: Is input validation sufficient to prevent cross-site scripting?
  • Question: Explain a blind SQL injection attack
  • Question: What is the difference between authentication and authorization?
  • Question: What is same origin policy? What is CORS (cross-origin resource sharing)?
  • Question: How would you perform a security/penetration test on a Web application covering the following scenarios:

Unauthenticated tests on login page

Test for brute forcing, password cracking, rainbow table attacks, account lockouts, clickjacking, session fixation, etc.

Authenticated tests with one user account

Test for the usual suspects from OWASP Top 10.

Authenticated tests with multiple user accounts

Test for horizontal privilege escalation, vertical privilege escalation, and forceful browsing.

*TIP: Don’t ask about the differences between TCP and UDP. This question is beaten to death already!*

Interview challenge #4: The tools and practical knowledge

Next, test the candidate for their familiarity with tools and hands-on experience. There is no precise list of tools, but a familiarity with some common ones (such as proxies, packet sniffers, network reconnaissance/monitoring/capturing tools, fuzzers, etc.) is always a plus. Here are some sample questions to consider:

  • Question: Have you taken part in a bug bounty or CTF contest?
  • Question: Which is your favorite security tool and why?
  • Question: What is the most interesting vulnerability you’ve found?
  • Question (scenario): You have a login page with “username” and “password” fields. How would you test for SQL injection without using any tool?

*TIP: Ensure that the candidate remains comfortable by keeping the interview conversational and dropping hints wherever needed.*

Interview challenge #5: Cryptography

Knowledge of basic practical cryptography is a must for any good security professional who should not only understand how sensitive data is protected at rest and in transit, but should also know about common cryptographic attacks and preventions. Here are some questions to test this knowledge:

  • Question: What is the difference between encryption, encoding, and hashing?

It’s better if candidate can explain with some example algorithms.

  • Question: What is the difference between asymmetric and symmetric cryptography?

This can have follow-up questions on example algorithms, key exchange, performance, usage, etc.

  • Question: Why is the word “password” a bad password?

This is to test the candidate’s understanding on password storage and password brute forcing. Here, you’re looking for concepts like: password crackers, rainbow tables, dictionary attacks, hashing, and salting.

  • Question (scenario): How does gmail.com ensure that some hacker on the Internet is not reading my emails while Gmail pushes the emails out to me?

Here, you’re looking for SSL/TLS explanation, man-in-the-middle attacks, and their prevention.

*TIP: Unless you’re looking to fill a cryptography ninja position, only focus on practical aspects of cryptography (not the gory math behind it).*

Interview challenge #6: Coding

You may be thinking “wait, what? Why coding? Isn’t this supposed to be a Web AppSec interview?”

A security professional might have to perform secure code review or write automation scripts. It is important to check for this skill as well; level of depth, however, depends on the position at hand. These questions will help the interviewer gather more information on their coding knowledge and experience:

  • Question: What is the last/biggest/best program you wrote?
  • Question: What is your programming language of choice and why?
  • Question: Have you written a program to generate a new programming language?

You might expect an answer such as “thanks for interviewing me; I will seek employment elsewhere.” Just kidding! The idea is that the programming question’s difficulty level depends on the job requirement.

Interview challenge #7: Other security topics

Software security is not just Web application security. The candidate’s knowledge in various sister fields like: secure architecture design, mobile security, source code review, reverse engineering, and malware analysis should be discussed with regards to the position at hand.

Interview challenge #8: Soft skills

Last, but not least, are the skills like passion, work ethic, communication, leadership, and professionalism. While I’m no HR pro, I do have a few sample question recommendations that can be asked from the technical perspective:

  • Question: What security podcasts/blogs/websites do you follow?
  • Question: Are you part of any local security group (OWASP chapters/meetup groups)?
  • Question: Tell me about a recent security breach that caught your attention and why?
  • Question: Can you explain [add_a_common_security_issue] to me like I’m five years old?
  • Question (scenario): How would you convince a senior executive to allocate budget for a security activity that you think is necessary?

Open-ended question. Ideally, you’re ensuring that the candidate doesn’t panic and talks about risk management, policy and compliance, data breaches, cost-effort analysis, etc.

  • Question (scenario): Now, let’s assume you’re the executive who was just convinced by one of their security folks. How much would you ideally invest on securing an intranet-only Web application?

If it’s an intranet-only application, why bother, right? No! We’re looking for mention of similar concepts of asset value, impact analysis, risk severity, exposure, etc.

  • Question: Should business requirements be given priority over security requirements, or vice versa?

*TIP: This tip is for candidates. Maintain integrity in your resume, be on time for your interview, and avoid a smirk if someone asks you a question straight from this list.*

While this isn’t an exhaustive list, I hope that these challenges and questions help both the interviewer and interviewee organize thoughts and goals for the best possible discussion. And, while every role and interview experience will vary, focus on processes and method rather than a simply right or wrong, yes or no approach. Happy interviewing, everyone!

Are you looking for a new opportunity?