Some tips on answering certain interview questions

I often ask a job candidate how familiar they are with a particular security or web topic in order to gauge the technical starting point of a question. For example, if the interviewee is somewhat familiar (or perhaps feels likes a 3 on a scale of 1 to 5) with HTTP I’ll dig into whether GET and POST are any different from a security perspective and expect to hear some distinctions between session (i.e. non-persistent) cookies and session IDs as they relate to authentication. Someone less familiar might receive a question on workflows (e.g. what types of threats might there be to a check-out process) that focuses on critical thinking rather than knowledge of the protocol. Someone more familiar should be able to name the pros and cons of possible CSRF defenses. By doing this I hope to set the candidate at ease in order to start a conversation that can grow in a direction where I can try to (quickly) figure out their level of knowledge.

In any case, basing your security experience on the SQL injection article from Wikipedia won’t get you very far.

Tip zero: “I don’t know” would have worked fine. Really, it would. I’d rather have an interesting conversation about something else that you do know.

Tip one: When reading verbatim from a web page try to avoid changing the inflection of your voice from a conversational tone to a lecturing one. While I may not hear you frantically typing keywords into a search engine, I can hear the switch from extemporaneous ideas to textual regurgitation.

Tip two: If you’re going to double-down on first-hand knowledge of SQL injection vulns by claiming to know different ways to exploit them, don’t repeat the initial mistake by reading the “Blind SQL Injection” description from the same article.

Tip three: Don’t quote Wikipedia. Although I find the article on SQL injection poorly stated and I never use it as a reference, it’s a safe bet that I’m familiar enough to recognize its wikispeak. At least try something from the article’s References or External Links sections. You might even get bonus points for quoting something from Chapter Three of The Book — everyone has a weak spot.

Now, I too often err on the side of politeness so here’s the deal: If I ask a suspiciously-leading follow-up question stated as, “Imagine you have a table called users and you want to see if the username Ralph exists. What do you do?” then just pretend that you’re driving into a tunnel and hang up. Whatever you do don’t answer, “I would use a SELECT one divided by zero”. Otherwise, you’re going into the same bin as the persons who listed knowing Pi to the Feynman point as a key skill1 and the ability to learn any programming language in four hours2.

1 Trust me, I love the joke, but with a bold geek step like that you’ve got to have some other skills to back it up.
2 My quibble is the ability to do something useful besides writing “Hello, world.”

Published by Mike Shema

Mike works with product security and DevSecOps teams to build safer applications. He also writes about information security, with an infusion of references to music (80s), sci-fi (apocalyptic), and horror (spooky) to keep the topics entertaining. He hosts the Application Security Weekly podcast.

%d bloggers like this: