June 16, 2013
Security is an often neglected aspect in the tech industry. It is
usually delegated to special teams with a reputation of being paranoid
naysayers who come in right before a product launch and put up barriers
and make your life difficult in general. But security needs to be an
integral part of any product from the very beginning; it cannot
be tacked on at the end. Security does not stand in contrast to usability
if your product is designed from the beginning with security in mind and
treated as an equally important factor as usability. On the flipside:
you cannot secure a system if usability suffers. People are lazy, and
will always choose (or invent) the faster, easier, more
convenient way to get things done regardless of their security
One of the problems in many development environments is the lack of a
general security awareness. If only "security experts" think about
security, then it's no surprise that products are developed without much
consideration for data- and user-privacy, confidentiality, transport
safety, safe defaults, etc. As an example of this general lack of
security awareness, take a look at any collection of interview questions
or tips -- hardly any touch upon these topics. When I saw Kate Matsudaira's Epic List of Interview
Questions, I tersely tried to make that point:
Kate replied and suggested that I provide some security related
questions on my own, which seems fair enough to me. So I'm
compiling a list of useful, general security questions below. Please bear
in mind that these questions are specifically intended not for
security experts or applicants for positions with a focus on security, but
rather questions for all engineers. That is, there is
intentionally no "Security section"; security needs to be part of all
Below, I will follow Kate's topical outline; questions taken from her
list or extended are in italics. If you have questions to suggest
yourself, please let me know (via email, or twitter).
Abstraction & Design
- You are tasked with designing software that runs and controls
elevators. Explain the defaults for all options available in your
implementation. What safety precautions do you have to build in?
- Imagine you were tasked with designing an instant messaging program /
mobile app. Explain the access model and privacy implications of your
- Explain the user interface and process flow decisions of an ATM. How
would you redesign/improve the UI?
- Your login process requires a password. Talk about the UI decisions
around this. What tradeoffs do you make between password complexity
requirements and usability? How do you design the user feedback for
repeatedly entered wrong passwords?
- What feedback can you give a user to assure them that their
data/connection/... is "secure"?
Algorithms (different approaches and performance)
- Write a function which will return a random number from the
list. How do you know the "random" numbers you generate are actually
random? (Not a question about algorithms, but a good starting point to
talk about randomness in general.)
- Take a number lock with N digits. For what value of N is
brute-forcing the lock a reasonable option? Assume you can parallelize
your brute-forcing attempts - how does that change your answer?
Problem Solving (like algorithms, only more general)
- Write a password cracker. What input could it take to
become more efficient?
- Using your environment's user data, how long would it take for a
normal desktop/laptop to brute force all passwords? How would you speed
this up? (Can you slow this down in some way?)
- Design an anonymous question / answer board with the ability to
'accept' answers or delete your own questions.
Command Line & Scripting
- Explain how SSH tunneling / port forwarding works. What are some
pitfalls or risks?
- How does sudo(1) work? What are common related pitfalls?
- What is the difference in permissions on a directory that is mode
0777 and one that is mode 1777?
- Why should or shouldn't you have . (dot) in your
- Write a simple script that requires the user to enter a password and
pass it to another program. Talk me through the various considerations,
assumptions and decisions you need to make.
- Where does your database live on your network? Explain the access
controls around it.
- How do you restrict access to your database by different
- Your automated tools cannot prompt the user for a password to run
commands against the database -- how do you handle this?
Data Modeling & Data Schemas
- Your application allows users to purchase items using credit cards.
Describe the data model and schemas used to protect both the users'
privacy (shipping address, purchase history, ...) as well as CC data.
SQL Queries (querying for data)
- Why is ping(8) setuid? (Then talk about what you can do with
raw sockets, move on to tcpdump(1).)
- What's the difference between HTTP and HTTPS?
- Why can't you do Virtual Named Servers when using HTTPS?
- Describe what happens when I type https://google.com into a browser
and hit return. Be as detailed as possible.
System Design & Thinking
- How do you deploy your code?
- How would you store passwords in a web application? Your mobile
- Are there alternatives to storing passwords?
- How do you handle SSH host keys?
- How do you bootstrap trust amongst hosts?
- At what point in the development cycle do you involve your security
- What is the difference between "fail-open" and "fail-closed"? Give
examples of when either is more appropriate than the other.
- Discuss the concept of anonymity in a common website / application /
- How do you authenticate to the API?
- What kind of data do you accept from clients?
- What kind of functionality do you expose in the API? How do you
decide which functionality requires authentication and which can be
- Your application allows users to upload photos. How do you verify
that the data you received is in fact a photo?
- What library functions do you use for processing users'
- How do you process data uploaded or entered by a user?
- What are CSRF and XSS? What can you do to protect your users?
- What are CSP and "secure cookies"?
- We all love jquery, google-analytics, etc. How do you source
third-party toolkits like these?
- When/how would you integrate with Twitter/Facebook/Google login? What
are the repercussions / advantages?
Reliability & Operations
- Tell me about a security incident you've taken part in.
- How do you determine whether or not a security update needs to be
applied? Should you always install the latest version?
- Who in your organization has 'root'? How is 'root' access
- How do you handle service accounts (headless accounts, automation
accounts, ...) and the access they have?
- How do you manage / utilize shared jumpboxes in your environment?
What are some of the implications and pitfalls of having them?
- What are the top 3 things you do to improve a system's security?
- What is "Trustworthy Computing"?
- Is closed or open source software more secure?
- How does a cryptographic hash function differ from "encryption"?
- How do collisions in such hash functions affect security (in theory
and in practice)?
Teamwork & Collaboration
- How do you handle the case if a senior member (with lots of subject
matter expertise) of your team continues to take shortcuts or engage in
unsafe coding practices?
- Do you have experience with teams / organizations with a generally
security-aware culture? How did / would you establish this such a culture?
Product Sense & Judgment
- How would you attack $SomeProduct / $SomeWebsite?
- Comment on the privacy trade-offs in today's social networks. Compare
mobile app defaults and settings.
- Your customers / users complain about a policy or restriction dictated
by your organization's security team. You do not agree with the policy,
either -- how do you defend it? How do you circle back feedback?
- How do you communicate breaches of your security with your customers?
Productivity & Ability to Get Things Done
- Tell me about how you keep track of the hundreds of passwords you
- How does your organization handle collaborative editing? What are
some advantages and what are the trade-offs made?
Focus on Quality
- Have you ever done or requested a penetration test of your
product/network? If so, how was this done, what was your role? (If not,
- What is the difference between input validation and input
- Do you have experience with tools like sqlmap, brakeman, Burp Suite, BeEF, etc.?
- Have you ever participated in a "Capture the Flag" competition/game?
- Almost every developer/engineer sooner or later ends up
designing (perhaps unwittily) a protocol involving some form of
"authentication". Tell me about yours.
- How do you communicate breaches of your security with the
press/twitter/internet at large? (Ie, can you improve on ``We take security seriously...''?)
- How do you communicate breaches of your security within your organization?
- What is more important: usability or security? (A trick question
indeed.) How much does your answer depend on the context?
- How do the principles exhibited by the organization reflect your own?
- Review the data privacy model of the organization you're applying with
-- what improvements or changes would you suggest?
- "The Net interprets censorship as damage and routes around it." -- is
General / Other
- What are common pitfalls in string handling?
- What is a buffer overflow?
- In the programming language of your choice, describe how you execute
a system command with certain parameters provided by the user.
- How does SSL certificate verification work?
- ssh(1) warns you about a hostkey fingerprint mismatch. What
do you do? (No, be honest.) How do you solve this problem?
- How much can you trust DNS?
- What kind of data do you currently make available to third parties?
What services do you outsource? What are the tradeoffs you make?
- How do you communicate / store / handle passwords or other "secrets"
with your peers?
Last updated: 2014-05-19.
Many thanks to the following people for contributing to this list:
If you have questions to suggest
yourself, please let me know (via email, or twitter).
June 16, 2013