Security Engineer
Updated for 2026: Security Engineer interview questions and answers covering core skills, tools, and best practices for roles in the US, Europe & Canada.
What is threat modeling and how do you do it in practice?
Threat modeling identifies what can go wrong before shipping. Steps: - Define assets and trust boundaries - List entry points and attackers - Enumerate threats (STRIDE) - Prioritize mitigations It produces concrete actions: auth improvements, input validation, logging, least privilege, and secure defaults.
What are the OWASP Top 10 risks and how do you reduce them in real systems?
OWASP Top 10 highlights common web app risks like broken access control, injection, insecure design, and security misconfiguration. Mitigation requires secure defaults, strong authz checks, input validation, safe libraries, and continuous testing (SAST/DAST) plus code reviews.
How do you run an effective vulnerability management program?
Vulnerability management is prioritization + remediation. Process: - Asset inventory - Continuous scanning - Risk-based prioritization (CVSS + exposure) - Patch SLAs - Verification and reporting Focus on exploitable paths and keep stakeholders aligned with clear timelines and ownership.
What does an incident response process look like during a security event?
Incident response focuses on contain, eradicate, and recover. Steps: - Triage and scope - Containment (limit damage) - Evidence collection - Remediation - Post-incident review Prepare with runbooks, logging, tabletop exercises, and clear communication paths.
What is a SIEM and what should you log for effective detection?
A SIEM aggregates logs for detection and investigation. Log: - Auth events (success/failure) - Privileged actions - Network flows - API access patterns - Endpoint events Quality matters: normalize fields, add correlation IDs, reduce noise, and build detections tied to real threats.
How do you implement least privilege in IAM for humans and services?
Least privilege means granting only what’s needed. Practices: - Role-based access and scoped policies - Short-lived credentials - Separation of duties - Regular access reviews Treat service identities as first-class: rotate keys, restrict blast radius, and audit usage continuously.
What are best practices for secrets management in production systems?
Secrets management reduces credential leakage. Best practices: - Use secret managers (not env files) - Rotate secrets and audit access - Use short-lived tokens - Avoid logging secrets Implement strong processes: incident response for leaks and automated scanning to catch secrets in repos.
How do encryption and key management (KMS) work in secure architectures?
Encryption protects data at rest and in transit. Key management best practices: - Use KMS for key storage and rotation - Use envelope encryption - Restrict key access and audit usage Keys are the real asset: protect them with least privilege and strong monitoring.
What do you look for in a security-focused code review?
Security reviews focus on abuse paths. Check: - Authn/authz enforcement - Input validation and encoding - Secrets handling - Logging of sensitive data - Safe dependency use Also evaluate error handling and whether changes introduce SSRF, injection, or privilege escalation risks.
What does a secure SDLC look like in high-performing teams?
Secure SDLC integrates security into development. Includes: - Threat modeling early - SAST/DAST in CI - Dependency scanning - Security reviews for risky changes - Incident response readiness Security should be a delivery enabler: guardrails, automation, and clear standards.
What is software supply chain security and how do you reduce risk?
Supply chain security protects builds and dependencies. Practices: - Pin and verify dependencies - Use SBOMs - Signed builds and provenance - Restrict CI permissions Also monitor for typosquatting and compromised packages and have a fast patch/rollback process.
What is the cloud shared responsibility model and why does it matter?
Cloud providers secure the underlying infrastructure; customers secure what they configure and run. Misunderstanding this leads to misconfigurations (public buckets, overly broad IAM). Security teams must set guardrails, scanning, and policies to prevent common mistakes and ensure teams understand responsibilities.
How do you use network segmentation to reduce blast radius?
Segmentation limits lateral movement. Techniques: - Separate networks by environment and sensitivity - Restrict east-west traffic - Use private endpoints - Apply least-privilege firewall rules Combine segmentation with strong identity controls and monitoring. Network controls alone are not sufficient without auth and auditing.
What is penetration testing and how is it different from vulnerability scanning?
Scanning finds known issues; penetration testing simulates real attacker behavior to validate exploitability. Pen tests identify chained attacks, privilege escalation paths, and business logic flaws. A strong program combines scanning, pen tests, bug bounty, and secure development practices.
What is SSRF and how do you prevent it in cloud applications?
SSRF occurs when attackers make your server request internal resources. Mitigations: - URL allowlists - Block private IP ranges - Use metadata service protections - Strong egress controls SSRF is especially dangerous in cloud because it can access instance metadata and credentials.
What are common authentication and authorization failures you see in systems?
Common failures: - Missing server-side authorization checks - Insecure session/token storage - Weak password policies without MFA - Overly broad roles Fix with least privilege, strong session handling, MFA, and consistent policy enforcement at the service boundary.
What security metrics matter for leadership and why?
Metrics should reflect risk reduction. Examples: - Time to remediate critical vulns - Coverage of logging and detection - MFA adoption and privileged access - Incident response time Avoid vanity metrics. Tie numbers to outcomes: reduced exposure and faster containment.
What is Zero Trust and how do you apply it pragmatically?
Zero Trust means no implicit trust based on network location. Practical steps: - Strong identity and device posture - Least privilege access - Continuous verification - Segmentation and monitoring Adopt incrementally by protecting the most sensitive systems first and measuring reduction in lateral movement risk.
How do you build effective detections from logs (detection engineering)?
Effective detections are tied to real threat behaviors. Steps: - Identify high-signal log sources - Normalize fields and add context - Write detections for known TTPs - Tune to reduce false positives Always add runbooks and triage steps so alerts are actionable, not noise.
How do you prevent security misconfigurations in cloud and application systems?
Misconfigurations are a leading cause of incidents. Prevention: - Policy-as-code checks in CI - Guardrails and templates - Continuous scanning (CSPM) - Least privilege IAM Make secure defaults easy and insecure changes difficult. Pair automation with education and clear ownership.