How to prepare for a security engineer interview.
Ever since announcing that I will be joining Facebook’s product security team I’ve been getting a lot of questions about how to prepare for interviews. In this article I will try to explain how I approached the interview process in general and what some of the more highly desired tech companies are looking for in interviews. As a predicate I’ve interviewed for an entry level security related position with companies like Google, Snapchat, Amazon, AWS, Okta, GoodRx and Facebook.
I want to start by giving general tips for any interview and then focus on more security and big tech company focused tips. First and foremost, you need to have some mental fortitude because not all interviews will go well. I had an interview that went terribly because it was clearly a position I wasn’t qualified for. You should try your best to not be phased by bad interviews and keep working for the next batch. Interviewing is a skill and the more you do it the better you will get at it. That’s why it is best to always see the failed interviews as warm-up ones that will help you nail a dream job in the future.
In regards to security related positions all the companies I mentioned put different emphasis on coding vs general security knowledge. Since all my experience has been with web based security I don’t have much tips for people who interview for reverse engineering or mobile related security positions. However I can give some general information about what you can expect.
For example Google as a company hires software developers first and domain knowledge comes second as in it can only increase your chances but the interview process will still be heavily software focused. If you interview for Google expect the most challenging coding problems you will get in the industry like medium and up from https://leetcode.com. Since Google interviewers are allowed to bring their own questions there is a wide range of things you can be asked about. You need to know your data structures and algorithms in an out and have some insight into how to apply them in different situations. Also you need to be ready to code without your IDE because coding in Google Docs and on a whiteboard is much different than coding with an IDE and takes some practice.
Snapchat and Facebook on the other hand have a mixed approach in the initial interview where you answer some security related questions for the first half and then work on a coding problem. Security portion of the interviews are usually straightforward and you will probably be asked about things like different types of encryption, how to store passwords, TCP vs UDP etc. Since half the interview will be spent on security, you will have less time in these coding questions and you can expect simpler but layered questions where the more you solve the coding challenge the requirements or the constraints will change to get you to update your solution. In my experience interviewers usually ask progressively more difficult questions so don’t be discouraged if you can’t answer a few towards the end.
Finally the remaining companies did their initial interviews fully focused on security based questions. In these types of interviews you can expect a wide range of questions ranging from basic reverse engineering questions to high level web based questions like “Explain the different types of XSS.” or “How do you prevent CSRF?”. The best thing to do is to be prepared beforehand, as in answer all the potential questions on paper and be ready for progressively more challenging questions. Interviewers will usually try to test the depth of your knowledge as well as your experience so if you answer a question about XSS they might ask you about a time you exploited XSS.
All of the things I mentioned above won’t stay true forever or for every recruiter but the fact remains, there are 3 types of interviews you can encounter. It’s either entirely coding, half coding and half security or 100% security related questions. Your recruiter will usually tell you which one to expect and you can decide on how to prepare for it armed with that knowledge. If they don’t tell you at first don’t hesitate to ask them what to expect and how to prepare. Most companies I interviewed with provided documents on how to best prepare for their interviews.
Now to get on to more practical tips for phone screens, the most important thing you have to do during the call is take notes on a piece of paper. Whenever you are asked a question you don’t know the answer to write it down and after the interview find the right answer. For example, you might be asked to explain an Oauth authentication flow and struggle to get through it the first time. Take that as an opportunity and prepare some notes for the next interview so you can quickly remind yourself if it is asked again. After 3 phone screens I had 2 papers worth of notes in front of me. Second thing you need to be ready for is career based questions. I highly suggest preparing a few stories beforehand so you know what you can talk about if someone asks you “Can you talk about the best bug you found in a bug bounty program?” or “Talk about a technically challenging project you worked on?”. You should have a list of things you can talk about for these types of questions otherwise I found it really difficult to come up with good answers on the spot.
If you get through the initial phone screen you will either be invited for a full day of onsite interviews or another phone screen. Either case same tips apply. Focus on the documents company sent you, keep solving coding problems and polish your stories to answer any career or culture based questions that might come up. Having some general knowledge of the company will be really helpful in these situations because it can inform your decision on what to focus on be it coding problems or security related questions. Depending on the company you can get a wide range of interviews from different people during an onsite. Amazon, Facebook and Google will have different nuances around their onsite process and since I haven’t done all of them I really can’t give any specific tips in regards to onsite interviews except to ask questions to our recruiter to learn what each interview will be about so you can best practice for them.
Good luck in your interviews and don’t forget practice is everything.