Signs of Triviality

Opinions, mostly my own, on the importance of being and other things.
[homepage] [index] [jschauma@netmeister.org] [@jschauma] [RSS]

Security Related Interview Questions for all Engineers

June 16, 2013

Job Qualifications Security is an often neglected aspect in the tech industry. It is usually delegated to special teams with a reputation of being paranoid naysayers who come in right before a product launch and put up barriers and make your life difficult in general. But security needs to be an integral part of any product from the very beginning; it cannot be tacked on at the end. Security does not stand in contrast to usability if your product is designed from the beginning with security in mind and treated as an equally important factor as usability. On the flipside: you cannot secure a system if usability suffers. People are lazy, and will always choose (or invent) the faster, easier, more convenient way to get things done regardless of their security implications.

One of the problems in many development environments is the lack of a general security awareness. If only "security experts" think about security, then it's no surprise that products are developed without much consideration for data- and user-privacy, confidentiality, transport safety, safe defaults, etc. As an example of this general lack of security awareness, take a look at any collection of interview questions or tips -- hardly any touch upon these topics. When I saw Kate Matsudaira's Epic List of Interview Questions, I tersely tried to make that point:

Kate replied and suggested that I provide some security related questions on my own, which seems fair enough to me. So I'm compiling a list of useful, general security questions below. Please bear in mind that these questions are specifically intended not for security experts or applicants for positions with a focus on security, but rather questions for all engineers. That is, there is intentionally no "Security section"; security needs to be part of all considerations.

Below, I will follow Kate's topical outline; questions taken from her list or extended are in italics. If you have questions to suggest yourself, please let me know (via email, or twitter).


Security Related Interview Questions

Abstraction & Design

  • You are tasked with designing software that runs and controls elevators. Explain the defaults for all options available in your implementation. What safety precautions do you have to build in?
  • Imagine you were tasked with designing an instant messaging program / mobile app. Explain the access model and privacy implications of your design.
  • Explain the user interface and process flow decisions of an ATM. How would you redesign/improve the UI?
  • Your login process requires a password. Talk about the UI decisions around this. What tradeoffs do you make between password complexity requirements and usability? How do you design the user feedback for repeatedly entered wrong passwords?
  • What feedback can you give a user to assure them that their data/connection/... is "secure"?

Algorithms (different approaches and performance)

  • Write a function which will return a random number from the list. How do you know the "random" numbers you generate are actually random? (Not a question about algorithms, but a good starting point to talk about randomness in general.)
  • Take a number lock with N digits. For what value of N is brute-forcing the lock a reasonable option? Assume you can parallelize your brute-forcing attempts - how does that change your answer?

Problem Solving (like algorithms, only more general)

  • Write a password cracker. What input could it take to become more efficient?
  • Using your environment's user data, how long would it take for a normal desktop/laptop to brute force all passwords? How would you speed this up? (Can you slow this down in some way?)
  • Design an anonymous question / answer board with the ability to 'accept' answers or delete your own questions.

Command Line & Scripting

  • Explain how SSH tunneling / port forwarding works. What are some pitfalls or risks?
  • How does sudo(1) work? What are common related pitfalls?
  • What is the difference in permissions on a directory that is mode 0777 and one that is mode 1777?
  • Why should or shouldn't you have . (dot) in your PATH?
  • Write a simple script that requires the user to enter a password and pass it to another program. Talk me through the various considerations, assumptions and decisions you need to make.

Database Administration

  • Where does your database live on your network? Explain the access controls around it.
  • How do you restrict access to your database by different accounts/users?
  • Your automated tools cannot prompt the user for a password to run commands against the database -- how do you handle this?

Data Modeling & Data Schemas

  • Your application allows users to purchase items using credit cards. Describe the data model and schemas used to protect both the users' privacy (shipping address, purchase history, ...) as well as CC data.

SQL Queries (querying for data)

Networking

  • Why is ping(8) setuid? (Then talk about what you can do with raw sockets, move on to tcpdump(1).)
  • What's the difference between HTTP and HTTPS?
  • Why can't you do Virtual Named Servers when using HTTPS?
  • Describe what happens when I type https://google.com into a browser and hit return. Be as detailed as possible.

System Design & Thinking

  • How do you deploy your code?
  • How would you store passwords in a web application? Your mobile app?
  • Are there alternatives to storing passwords?
  • How do you handle SSH host keys?
  • How do you bootstrap trust amongst hosts?
  • At what point in the development cycle do you involve your security team?
  • What is the difference between "fail-open" and "fail-closed"? Give examples of when either is more appropriate than the other.
  • Discuss the concept of anonymity in a common website / application / protocol.

APIs

  • How do you authenticate to the API?
  • What kind of data do you accept from clients?
  • What kind of functionality do you expose in the API? How do you decide which functionality requires authentication and which can be accessed anonymously?

Web Development

  • Your application allows users to upload photos. How do you verify that the data you received is in fact a photo?
  • What library functions do you use for processing users' passwords?
  • How do you process data uploaded or entered by a user?
  • What are CSRF and XSS? What can you do to protect your users?
  • What are CSP and "secure cookies"?
  • We all love jquery, google-analytics, etc. How do you source third-party toolkits like these?
  • When/how would you integrate with Twitter/Facebook/Google login? What are the repercussions / advantages?

Reliability & Operations

  • Tell me about a security incident you've taken part in.
  • How do you determine whether or not a security update needs to be applied? Should you always install the latest version?
  • Who in your organization has 'root'? How is 'root' access granted?
  • How do you handle service accounts (headless accounts, automation accounts, ...) and the access they have?
  • How do you manage / utilize shared jumpboxes in your environment? What are some of the implications and pitfalls of having them?
  • What are the top 3 things you do to improve a system's security?

Software Engineering

  • What is "Trustworthy Computing"?
  • Is closed or open source software more secure?
  • How does a cryptographic hash function differ from "encryption"?
  • How do collisions in such hash functions affect security (in theory and in practice)?

Teamwork & Collaboration

  • How do you handle the case if a senior member (with lots of subject matter expertise) of your team continues to take shortcuts or engage in unsafe coding practices?
  • Do you have experience with teams / organizations with a generally security-aware culture? How did / would you establish this such a culture?

Product Sense & Judgment

  • How would you attack $SomeProduct / $SomeWebsite?
  • Comment on the privacy trade-offs in today's social networks. Compare mobile app defaults and settings.

Customer Focus

  • Your customers / users complain about a policy or restriction dictated by your organization's security team. You do not agree with the policy, either -- how do you defend it? How do you circle back feedback?
  • How do you communicate breaches of your security with your customers?

Productivity & Ability to Get Things Done

  • Tell me about how you keep track of the hundreds of passwords you have.
  • How does your organization handle collaborative editing? What are some advantages and what are the trade-offs made?

Focus on Quality

  • Have you ever done or requested a penetration test of your product/network? If so, how was this done, what was your role? (If not, why not?)
  • What is the difference between input validation and input sanitization?
  • Do you have experience with tools like sqlmap, brakeman, Burp Suite, BeEF, etc.?

Curiosity

  • Have you ever participated in a "Capture the Flag" competition/game?
  • Almost every developer/engineer sooner or later ends up designing (perhaps unwittily) a protocol involving some form of "authentication". Tell me about yours.

Communication

  • How do you communicate breaches of your security with the press/twitter/internet at large? (Ie, can you improve on ``We take security seriously...''?)
  • How do you communicate breaches of your security within your organization?

Passion

  • What is more important: usability or security? (A trick question indeed.) How much does your answer depend on the context?

Culture Fit

  • How do the principles exhibited by the organization reflect your own?
  • Review the data privacy model of the organization you're applying with -- what improvements or changes would you suggest?
  • "The Net interprets censorship as damage and routes around it." -- is this true?

General / Other

  • What are common pitfalls in string handling?
  • What is a buffer overflow?
  • In the programming language of your choice, describe how you execute a system command with certain parameters provided by the user.
  • How does SSL certificate verification work?
  • ssh(1) warns you about a hostkey fingerprint mismatch. What do you do? (No, be honest.) How do you solve this problem?
  • How much can you trust DNS?
  • What kind of data do you currently make available to third parties? What services do you outsource? What are the tradeoffs you make?
  • How do you communicate / store / handle passwords or other "secrets" with your peers?

Last updated: 2014-05-19.

Many thanks to the following people for contributing to this list: @deorth, @janl, @kimor79, @netik, @viss

See also:

If you have questions to suggest yourself, please let me know (via email, or twitter).

June 16, 2013


[Syncing NIST's National Vulnerability Database with Jira] [Index] [Creating an OS X .pkg installer]