Cloud Security interview questions?

LeBroke

So in a somewhat unexpected turn of events, a company I was talking to last year (a San Francisco borderline unicorn) finally got their shirt together and contacted me for an interview (after planning to in October, and then promising to schedule on in early January). It's a hybrid DevOps/security job (DevSecOps), that from the job description and my conversations with the recruiter sounds more like something up my alley. I.e. adding security testing to the CI pipeline, making sure CI/CD pipelines are secure, hardening AWS, etc. So fairly typical DevOps stuff with a security bent to it.

However, my interview will be with their director of information security, who from his LinkedIn doesn't seem like a very DevOpsy guy and will probably be more interested in the security side. I do have some limited experience (some scanning/basic pentesting, writing reports), and have worked in an environment heavy on PCI compliance. I do understand hardening AWS infrastructure very well, though.

I can answer basic questions like HIDS vs NIDS or symmetric vs asymmetric encryption but this appears to be a senior role, so he would likely expect more from me.

I would really appreciate some pointers to good resources on typical interviews.

NavyMooseCCNA

I can't offer any advice, but I can wish you good luck!

joneno

Hi Lebroke - Check out this link from OWASP.
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline#tab=Pipeline_Tools

Don't overthink it, just tell him I said devops is more than just automation...it's a cultural shift for an organization. Lol

Seriously, for DevSecOps a security professional simply have to be part of the paradigm to "shift-left". It's the easiest job out there that doesn't require all the certs techexams folks are crazy about. PM me if you need guidance.

LeBroke

joneno wrote: »

Hi Lebroke - Check out this link from OWASP.
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline#tab=Pipeline_Tools

Don't overthink it, just tell him I said devops is more than just automation...it's a cultural shift for an organization. Lol

Seriously, for DevSecOps a security professional simply have to be part of the paradigm to "shift-left". It's the easiest job out there that doesn't require all the certs techexams folks are crazy about. PM me if you need guidance.

Checked it out, great link, thanks! I'll talk about integrating tools into the pipeline.

I'm actually heavily on the DevOps side and very light on the security side . Would have PMd you but the interview is tomorrow so probably not too much time to go over stuff. But I can talk hours about organizational changes.

I'm more concerned about him asking me fairly basic security questions that I wouldn't be able to answer.

alias454

Every situation is different but when I interviewed for my new role it was much more about culture fit than tech. I was okay on the technical bits and they let things like no AWS experience slide because of other similar experience. Overall, they didn't care about my certs or degree just experience and would I fit in with a small growing team.

Good luck.

TechGuru80

Definitely agree that OWASP is likely to come up in the discussion...could also see the different types SaaS / PaaS / IaaS coming up...maybe even the traditional question "is it more expensive to consider security during development, or after its in production?" After its in production is the answer. Culture could definitely come up too...the smaller companies, especially in SF tend to rely heavily on culture of the company.

LeBroke

TechGuru80 wrote: »

Definitely agree that OWASP is likely to come up in the discussion...could also see the different types SaaS / PaaS / IaaS coming up...maybe even the traditional question "is it more expensive to consider security during development, or after its in production?" After its in production is the answer. Culture could definitely come up too...the smaller companies, especially in SF tend to rely heavily on culture of the company.

Ironically, I would argue the opposite.

During development is the obvious answer. But for startups (this one is a startup only in name, but I'm talking in a more general case), whether you live or die is determined how quickly you can get features on the market. It may literally be the difference between landing a lucrative client, or spending time on a security feature, and then not being able to pay your employees next month. Some things do have to be taken into consideration even during basic prototype phase, such as input sanitation or least privilege access to infrastructure. But unless you're selling a security product, it can be very counterproductive to, for example, deploy high-end IPS/IDS like Carbon Black in your infrastructure. From a purely monetary perspective, resources can be better spent on, for example, feature development or insuring high availability.

Only when you actually have a product in production and bringing in a revenue stream it becomes financially viable to harden everything.

tl;dr for small companies/projects it may be cheaper to consider security after it's in production when you actually have money to spend on security.

Of course, in an established company starting a new project from scratch, they don't have an excuse not to consider security right away, if only from basic business sense.

PS: the job is Vancouver-based, though much of their senior/executive team is in San Francisco.

TechGuru80

There is a lot of research on the subject on the cost benefit...or if you read any credible InfoSec publication on implementing security during dev or after you will see it’s less expensive during dev...Carbon Black is NOT what the references are towards...those are aftermarket COTS products where it’s more of building mechanisms into the product. OWASP will help you with the types of security but things like input validation and encryption are a few.

Of course in real life, security may or may not get implemented in dev...but if you get asked specifically which is less expensive and you say after it’s in production, you are gonna get some puzzled looks if they know what they are talking about...I think it’s covered in Security+ level.

LeBroke

TechGuru80 wrote: »

There is a lot of research on the subject on the cost benefit...or if you read any credible InfoSec publication on implementing security during dev or after you will see it’s less expensive during dev...Carbon Black is NOT what the references are towards...those are aftermarket COTS products where it’s more of building mechanisms into the product. OWASP will help you with the types of security but things like input validation and encryption are a few.

Of course in real life, security may or may not get implemented in dev...but if you get asked specifically which is less expensive and you say after it’s in production, you are gonna get some puzzled looks if they know what they are talking about...I think it’s covered in Security+ level.

I've been working with mostly with dev side, so things you describe are simply following development best practices ("sanitize your inputs, dummy"). Security from their perspective would be IDS/IPS, OWASP tools in the CI pipeline, Sonarqube scanning, etc.

That said, not super familiar with the lingo/concepts from a security perspective beyond technical controls, so I picked up a CISSP textbook to remediate some of my knowledge gaps (I figure it's better at condensing information into manageable chunks on a short time frame than a full-on course).

PS: passed the phone screen with the Director He's going to fly out to interview me in-person. Now I have two weeks of vacation in Morocco to study security stuff.

TechGuru80

Yeah the only bad thing is best practice and what happens aren't always aligned, and just understand that in practice it definitely could get missed but your DevOps background should be a valuable skillset to identify that type of stuff. Definitely don't stress because as long as they don't have unrealistic expectations you could be a nice fit and pick up the security stuff as you go...congrats and good luck.