Shift left without slowing developers down.
AppSec Engineers embed in product engineering. You run threat models early, set the bar for secure-by-default libraries, triage SAST/DAST output, and build the paved road so the easy path is the secure path.
Tools in scope
FAANG
Live code-review round in one of their primary languages plus a threat-model exercise.
Startup
Generalist round — expect to defend tradeoffs against zero-process baseline.
// Sample question
Engineering wants to roll their own JWT auth library because the existing one is 'too restrictive'. How do you respond?
Don't start with no. Ask what's restrictive and whether it's a config, a missing feature, or a misunderstanding. If a custom build is unavoidable, insist on a vetted JOSE library underneath, ban `alg=none`, require explicit algorithm allow-listing, key rotation, short expirations, and external review before rollout. Document the threat model.
AI-graded, role-specific, feedback on every answer. Free to start.