Imagine that you are looking to hire a new web application security team member. You’ve found a promising entry or mid-level candidate with a suitable professional background. During the phone screening, they claim to have a ninja-level knowledge of security, and they seem ready to dodge any curveballs you might throw their way.
You decide to bring this confident, enthusiastic candidate in for an interview. But there are so many topics to cover. Where do you begin? McGallen & Bolden Pte Ltd has shared with us this handy list of web application security interview questions to get you started.
1. Basic website and IT questions
Start the interview by making sure the candidate understands how websites and applications work in general. Here, you’re probing to see whether they understand protocols, networking layers, browsers, servers, databases, data at rest, data in transit, and the like. Here are a few classic interview questions to assess their understanding of these topics:
Question: Explain what happens when you enter “google.com” in a browser’s address bar.
This is a very open-ended question. The right answer varies per the job requirements. But in general, the candidate should have a fair understanding of DNS, DHCP, ARP, TCP and SSL/TLS handshakes, proxy, cookies, session management, HTTP methods, GET/POST, and so on.
Question: Are you a Mac/Windows/Linux person? Which OS is most secure?
Trick question! No OS is completely secure. A lot depends on how it’s patched, configured, and managed. You can ask follow-up questions on OS hardening, patching, configuration management, and so on.
Tip: Start with open-ended questions and then drill down into specifics based on the candidate’s responses and the job requirements. Trivia questions like “What is the port number for SMTP?” are not helpful.
2. Network security questions
Now that we’ve covered the basics, let’s establish an understanding of the candidate’s network security knowledge.
The candidate has probably been throwing out various network terminology. Now might be a good time to ask, “So how would you hack it?” Skills in network security are essential for an astute application security professional. The candidate should know about common exploits and remediation related to networks.
Here are some relevant network security interview questions:
Question: How would you perform a network reconnaissance?
Here, you’re looking for awareness of basic tools and network commands—namely nmap, nessus, ping, traceroute, nslookup, and so on.
Scenario: You’re a web administrator for HandlingMoreTrafficThanFacebook.com. How do you prevent a DDoS attack on the website?
This could be a stress question, especially if the candidate does not have a networking or admin background. All you’re looking for here is a basic understanding of how networks work and what can be done to prevent unsolicited requests to your website—using things such as throttling, load balancers, smart firewalls, bandwidth flexibility, third-party content delivery network providers, and so on.
Scenario: You’re sitting at a Starbucks enjoying a macchiato and free public Wi-Fi. How do you go about hacking other people on the network?
You’re asking the candidate to think like an attacker. You’re looking for a well-thought-out approach and things like packet sniffing (Wireshark), man-in-the-middle attacks (like the WPAD attack), eavesdropping on unencrypted data, Metasploit framework and tools, and so on.
Tip: Don’t ask about the differences between TCP and UDP. This question has been beaten to death already!
3. Web application security questions
Without any further ado, let’s proceed to the core challenge.
Now is the time to ask some OWASP Top 10 questions to test your candidate’s knowledge of common web-based attacks. Attacks include SQL injection, XSS (cross-site scripting), CSRF (cross-site request forgery), directory traversal, LDAP/XML/command injection, clickjacking, remote file inclusion, remote code execution, buffer/integer/heap overflows, and so on. You could formulate hundreds of specific web AppSec questions. But since you have limited time to assess the candidate, consider questions that show you their thought process:
Question: Which approach is better: a manual security test or an automated security test?
Short answer: It depends. Long answer: We don’t have a clear winner, so the candidate should compare the pros and cons of both and describe a balanced approach.
Question: What is the difference between white box and black box testing? Which is better?
Trick question, especially the “which is better” part. The answer depends on a host of factors such as cost, time, the team’s requirements, code availability, stage of the SDLC, and so on.
Question: How would you perform a security/penetration test on a web application covering the following scenarios?
Unauthenticated tests on log-in page. Test for brute forcing, password cracking, rainbow table attacks, account lockouts, clickjacking, session fixation, and so on.
Authenticated tests with one user account. Test for the usual suspects from the OWASP Top 10.
Authenticated tests with multiple user accounts. Test for horizontal privilege escalation, vertical privilege escalation, and forceful browsing.
Question: Explain a DOM-based cross-site scripting attack.
Question: Is input validation sufficient to prevent cross-site scripting?
Question: Explain a blind SQL injection attack.
Question: How does a web application firewall (WAF) detect and prevent attacks?
Question: What is the difference between authentication and authorization?
Question: What is same origin policy? What is CORS (cross-origin resource sharing)?
Tip: Ask questions that cover all three aspects of a web application vulnerability: root cause, actual attack, and defense mechanisms.
4. Questions about web AppSec tools and practical knowledge
Next, assess the candidate’s familiarity with tools and hands-on experience. There is no precise list of tools, but knowledge of some common ones (such as proxies, packet sniffers, network reconnaissance/monitoring/capturing tools, and fuzzers) is always a plus. Here are some sample questions about web AppSec tools and practical knowledge to consider:
Question: Have you taken part in a bug bounty or CTF contest?
Question: Which is your favorite security tool and why?
Question: What is the most interesting vulnerability you’ve found?
Scenario: You have a log-in page with “username” and “password” fields. How do you test for SQL injection without using any tool?
Tip: Ensure that the candidate remains comfortable by keeping the interview conversational and dropping hints wherever needed.
5. Cryptography questions
Knowledge of basic practical cryptography is a must for any good security professional. The candidate should understand how sensitive data is protected at rest and in transit. They should also know about common cryptographic attacks and prevention. Here are some cryptography interview questions to test this knowledge:
Question: What is the difference between encryption, encoding, and hashing?
It’s better if the candidate can explain with some example algorithms.
Question: What is the difference between asymmetric and symmetric cryptography?
You can ask follow-up questions on example algorithms, key exchange, performance, usage, and so on.
Question: Why is the word “password” a bad password?
You’re testing the candidate’s understanding of password storage and password brute forcing. Listen for concepts such as password crackers, rainbow tables, dictionary attacks, hashing, and salting.
Question: How does gmail.com ensure that some hacker on the internet is not reading my emails while Gmail pushes the emails out to me?
Listen for an explanation of SSL/TLS, man-in-the-middle attacks, and how to prevent them.
Tip: Unless you’re looking to fill a cryptography ninja position, focus on practical aspects of cryptography implementation (not the gory math behind it).
6. Coding questions
You may be thinking, “Wait, what? Why coding? Isn’t this supposed to be a web application security interview?” But a security professional might have to perform secure code review or write automation scripts, so it’s important to check for this skill. Level of depth, however, depends on the position. These questions will help you gather more information on the candidate’s coding knowledge and experience.
Question: What is the last/biggest/best program you wrote?
Question: What is your programming language of choice and why?
Question: Have you written a program to generate a new programming language?
The idea is that the difficulty level of your programming questions should depend on the job requirement.
7. Questions about other application security topics
Software security is not limited to web application security. Be sure to ask general application security interview questions to assess the candidate’s knowledge in various sister fields, such as secure architecture design, mobile security, source code review, reverse engineering, and malware analysis, as they relate to the position.
8. Questions to assess soft skills
Last but not least are skills and character traits like passion, work ethic, communication, leadership, and professionalism. Here are a few sample questions you can ask from a technical perspective:
Question: What security podcasts/blogs/websites do you follow?
Question: Are you part of any local security group (OWASP chapters/meetup groups)?
Question: Tell me about a recent security breach that caught your attention and why.
Question: Explain [common security issue] to me like I’m five years old.
Question: How would you convince a senior executive to allocate budget for a security activity you think is necessary?
Ask this open-ended question to ensure the candidate doesn’t panic but instead talks about risk management, policy and compliance, data breaches, cost-effort analysis, and so on.
Scenario: You’re an executive who has just been convinced by one of your security folks to secure an intranet-only web application. How much do you invest?
If it’s an intranet-only application, why bother, right? No! Listen for concepts such as asset value, impact analysis, risk severity, exposure, and so on.
Question: Should we prioritize business requirements over security requirements, or vice versa?
Candidate tip: Maintain integrity in your résumé, be on time for your interview, and don’t smirk if someone asks you a question straight from this list.
Remember that this is not an exhaustive list and that every role and interview experience will vary, so it is always best to focus on processes and methods rather than taking a right-or-wrong, yes-or-no approach.