So, you’re looking to hire a new Web application security team member? You’ve found a promising entry or mid-level candidate (depending on the open position you’re looking to fill) with a suitable professional background. During the phone screening, they claim to have a ninja-level knowledge of security, and seem ready to dodge any challenges you might throw their way. Is that so? As the interviewer, you’re thinking “challenge accepted!”
You decide to bring this confident, enthusiastic candidate in for an interview. Let’s start by testing their general IT knowledge, shall we?
Start off the interview by testing the candidate to ensure that they understand how websites work in general. Here, you’re probing to ensure they have a fair understanding of protocols, networking layers, browsers, servers, databases, data at rest, data in transit, and the like.
Here are a few classic interview questions to gather their understanding on these topics:
This is a very open-ended question. The right answer varies as per the job requirements. But in general, the candidate should have a fair understanding of DNS, DHCP, ARP, TCP and SSL/TLS handshakes, proxy, cookies, session management, HTTP methods, GET/POST, etc.
Trick question! No OS is completely secure and a lot depends on how is it patched, configured, and managed. Follow-up questions can be asked on OS hardening, patching, configuration management, etc.
*TIP: Start with open-ended questions and then drill down into the specifics based on the candidate’s responses and job requirements. Trivia questions like ‘what is the port number for SMTP?’ are not recommended.*
Now that you’ve covered the basics, let’s establish an understanding of their network security knowledge.
The candidate has probably been throwing out various network terminology. Now might be a good time to ask “so, how would you hack it?” Skills in network security are essential for an astute application security professional. The candidate should know about the common exploits and remediation related to networks. Here are some relevant network-related questions for your candidate:
Here, you’re looking for awareness of basic tools and network commands—namely nmap, nessus, ping, traceroute, nslookup, etc.
This could be a stress question, especially if the candidate does not have a networking or admin background. All you’re looking for here is the basic understanding of how networks work and what can be done to prevent unsolicited requests to your website—using things such as throttling, load balancers, smart firewalls, bandwidth flexibility, third-party content delivery network providers, etc.
You may ask the candidate to think like an attacker. You’re looking for a well-thought-out approach and things like packet sniffing (Wireshark), man-in-the-middle attacks (like the WPAD attack), eavesdropping on unencrypted data, Metasploit framework and tools, etc.
*TIP: Cover all 3 things related to a vulnerability: the root cause, the actual attack, and the defense mechanisms.*
And without any further ado, let’s proceed to the core challenge.
Now is the time to test your candidate’s knowledge on common Web-based attacks and their familiarity with taxonomies like the OWASP Top 10, describing attacks such as SQL injection, XSS (cross-site scripting), CSRF (cross-site request forgery), directory traversal, LDAP/XML/command injection, clickjacking, remote file inclusion, remote code execution, buffer/integer/heap overflows, etc. Hundreds of questions can be formulated on this category alone; however, since there is only limited time to assess the candidate, consider questions where you’ll be able to understand their thought process:
Short answer: It depends. Long answer: We don’t have a clear winner so the candidate should compare the pros and cons of both and describe a balanced approach.
Trick question, especially the “which is better” part. It depends on a host of factors such as cost, time, team’s requirements, code availability, stage of SDLC, etc.
Unauthenticated tests on login page
Test for brute forcing, password cracking, rainbow table attacks, account lockouts, clickjacking, session fixation, etc.
Authenticated tests with one user account
Test for the usual suspects from OWASP Top 10.
Authenticated tests with multiple user accounts
Test for horizontal privilege escalation, vertical privilege escalation, and forceful browsing.
*TIP: Don’t ask about the differences between TCP and UDP. This question is beaten to death already!*
Next, test the candidate for their familiarity with tools and hands-on experience. There is no precise list of tools, but a familiarity with some common ones (such as proxies, packet sniffers, network reconnaissance/monitoring/capturing tools, fuzzers, etc.) is always a plus. Here are some sample questions to consider:
*TIP: Ensure that the candidate remains comfortable by keeping the interview conversational and dropping hints wherever needed.*
Knowledge of basic practical cryptography is a must for any good security professional who should not only understand how sensitive data is protected at rest and in transit, but should also know about common cryptographic attacks and preventions. Here are some questions to test this knowledge:
It’s better if candidate can explain with some example algorithms.
This can have follow-up questions on example algorithms, key exchange, performance, usage, etc.
This is to test the candidate’s understanding on password storage and password brute forcing. Here, you’re looking for concepts like: password crackers, rainbow tables, dictionary attacks, hashing, and salting.
Here, you’re looking for SSL/TLS explanation, man-in-the-middle attacks, and their prevention.
*TIP: Unless you’re looking to fill a cryptography ninja position, only focus on practical aspects of cryptography (not the gory math behind it).*
You may be thinking “wait, what? Why coding? Isn’t this supposed to be a Web AppSec interview?”
A security professional might have to perform secure code review or write automation scripts. It is important to check for this skill as well; level of depth, however, depends on the position at hand. These questions will help the interviewer gather more information on their coding knowledge and experience:
You might expect an answer such as “thanks for interviewing me; I will seek employment elsewhere.” Just kidding! The idea is that the programming question’s difficulty level depends on the job requirement.
Software security is not just Web application security. The candidate’s knowledge in various sister fields like: secure architecture design, mobile security, source code review, reverse engineering, and malware analysis should be discussed with regards to the position at hand.
Last, but not least, are the skills like passion, work ethic, communication, leadership, and professionalism. While I’m no HR pro, I do have a few sample question recommendations that can be asked from the technical perspective:
Open-ended question. Ideally, you’re ensuring that the candidate doesn’t panic and talks about risk management, policy and compliance, data breaches, cost-effort analysis, etc.
If it’s an intranet-only application, why bother, right? No! We’re looking for mention of similar concepts of asset value, impact analysis, risk severity, exposure, etc.
*TIP: This tip is for candidates. Maintain integrity in your resume, be on time for your interview, and avoid a smirk if someone asks you a question straight from this list.*
While this isn’t an exhaustive list, I hope that these challenges and questions help both the interviewer and interviewee organize thoughts and goals for the best possible discussion. And, while every role and interview experience will vary, focus on processes and method rather than a simply right or wrong, yes or no approach. Happy interviewing, everyone!