role

Application Security Interview Questions Interview Questions

AppSec Engineer interview questions — OWASP, secure code review, threat modelling, SAST/DAST, security champions.

AppSec interview loops blend hands-on code review with architectural depth and developer empathy. Expect live PR review, OWASP-mapped scenario questions, and questions on running a security champions programme. ## Interview questions and strong-answer skeletons Each question below is drawn from recent UK and US interview loops for the role or framework. Use the answer skeletons as scaffolding — adapt to your specific experience.

Questions

  1. 01

    Walk me through OWASP Top 10 (2021).

    Show strong-answer outline

    A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable Components, A07 Identification & Auth Failures, A08 Software & Data Integrity, A09 Logging & Monitoring Failures, A10 SSRF. Be ready to give a real example of each.

  2. 02

    Differences between authentication, authorisation, and session management bugs.

    Show strong-answer outline

    AuthN bugs: weak password policy, credential stuffing, MFA bypass. AuthZ bugs: IDOR, BAC, privilege escalation, missing function-level checks. Session: predictable IDs, cookie misconfig (missing HttpOnly/Secure/SameSite), session fixation, no rotation on auth-state change.

  3. 03

    Live code review: spot the bug in this Express handler with user input in a Mongo query.

    Show strong-answer outline

    Likely NoSQL injection via operator injection ({"$gt":""}). Fix: typed input via Joi/Zod schema, treat all user input as string, escape operator chars, parameterise via Mongoose schema enforcement.

  4. 04

    How do you threat-model a new feature?

    Show strong-answer outline

    Lightweight STRIDE: ask the team to draw the data flow, identify trust boundaries, walk through STRIDE per element, agree top 3 mitigations + tests. Aim for 60 min, ship in ADR.

  5. 05

    Explain how JWTs go wrong in production.

    Show strong-answer outline

    alg=none bypass, weak HS256 secrets, missing audience check, long TTL + no rotation, token in URL → log leakage, no revocation list, storing in localStorage (XSS exfil). Mitigations: RS256 / ES256, kid header, short TTL, refresh rotation, httpOnly cookie.

  6. 06

    How do you triage a bug bounty report?

    Show strong-answer outline

    Reproduce in scope, validate severity (CVSS 3.1 + business context), de-duplicate, route to engineering owner with proposed fix, agree timeline, validate fix, pay bounty + close. Track median time-to-fix.

  7. 07

    Build a security champions programme from scratch.

    Show strong-answer outline

    Identify 1 champ per 8–12 engineers. Define charter (training, PR review, threat-modelling assistance). Quarterly cohorts, monthly office hours. Recognise via internal badges + promo packets. Measure: champ-attributed bug catches, training completion, programme NPS.

  8. 08

    SAST + DAST + SCA + IAST — pick a stack and defend it.

    Show strong-answer outline

    SAST: Semgrep (community rules + custom) + CodeQL (deep flow). SCA: Snyk + Dependabot. DAST: ZAP (CI), Burp Suite Pro (manual). IAST: Contrast Assess if budget allows. Run as PR-blocking only where signal-to-noise is high; otherwise informational + triage.

  9. 09

    How do you handle a developer who keeps shipping vulns?

    Show strong-answer outline

    1:1 coaching first — identify if knowledge gap, time pressure, or framework issue. Pair on next PR. Provide secure-by-default library. If pattern persists, escalate to their manager with data. Avoid public shaming.

  10. 10

    Explain Same-Origin Policy and CORS pitfalls.

    Show strong-answer outline

    SOP isolates scripts by (scheme, host, port). CORS relaxes for specific origins via Access-Control-Allow-Origin. Pitfalls: ACAO:* + ACAC:true is invalid; reflecting Origin without allow-list = wildcard; misconfigured preflight; pre-2017 IE quirks. Always allow-list explicit origins.

  11. 11

    Walk me through fixing an XSS in a React app.

    Show strong-answer outline

    React auto-escapes JSX text. XSS usually comes from dangerouslySetInnerHTML, href={user-input}, or third-party libs rendering raw HTML. Fix: sanitise via DOMPurify, validate URL schemes, audit third-party renderers, CSP with nonce as defence in depth.

  12. 12

    Tell me about a security control that engineers worked around. What did you do?

    Show strong-answer outline

    Behavioural. Show you diagnosed root cause (friction, lack of paved road, unclear ROI), iterated the control to reduce friction, won engineering trust back.

Frequently asked questions

Live coding in AppSec interviews — what to expect?

Usually a secure code review on a PR or short snippet. Sometimes a 'write a Semgrep rule' or 'fix this vuln' exercise.

Do I need to know every framework?

Pick 2–3 (e.g. Node/Express + Python/Django + Go). Show transferable principles rather than memorised framework gotchas.

Are AppSec roles being absorbed by Product Security?

Naming shift in some firms; the work is the same. Senior AppSec = Product Security at Apple, Google, Meta.

How important is bug bounty / CTF for AppSec interviews?

Strong signal at junior; less weighted at senior (engineering judgement matters more than exploit count).

Rehearse Application Security Interview Questions questions live

Run AI-graded mock interviews with panel personas and structured feedback.

Start free
// related