AppSec Engineer interview questions — OWASP, secure code review, threat modelling, SAST/DAST, security champions.
Walk me through OWASP Top 10 (2021).
A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable Components, A07 Identification & Auth Failures, A08 Software & Data Integrity, A09 Logging & Monitoring Failures, A10 SSRF. Be ready to give a real example of each.
Differences between authentication, authorisation, and session management bugs.
AuthN bugs: weak password policy, credential stuffing, MFA bypass. AuthZ bugs: IDOR, BAC, privilege escalation, missing function-level checks. Session: predictable IDs, cookie misconfig (missing HttpOnly/Secure/SameSite), session fixation, no rotation on auth-state change.
Live code review: spot the bug in this Express handler with user input in a Mongo query.
Likely NoSQL injection via operator injection ({"$gt":""}). Fix: typed input via Joi/Zod schema, treat all user input as string, escape operator chars, parameterise via Mongoose schema enforcement.
How do you threat-model a new feature?
Lightweight STRIDE: ask the team to draw the data flow, identify trust boundaries, walk through STRIDE per element, agree top 3 mitigations + tests. Aim for 60 min, ship in ADR.
Explain how JWTs go wrong in production.
alg=none bypass, weak HS256 secrets, missing audience check, long TTL + no rotation, token in URL → log leakage, no revocation list, storing in localStorage (XSS exfil). Mitigations: RS256 / ES256, kid header, short TTL, refresh rotation, httpOnly cookie.
How do you triage a bug bounty report?
Reproduce in scope, validate severity (CVSS 3.1 + business context), de-duplicate, route to engineering owner with proposed fix, agree timeline, validate fix, pay bounty + close. Track median time-to-fix.
Build a security champions programme from scratch.
Identify 1 champ per 8–12 engineers. Define charter (training, PR review, threat-modelling assistance). Quarterly cohorts, monthly office hours. Recognise via internal badges + promo packets. Measure: champ-attributed bug catches, training completion, programme NPS.
SAST + DAST + SCA + IAST — pick a stack and defend it.
SAST: Semgrep (community rules + custom) + CodeQL (deep flow). SCA: Snyk + Dependabot. DAST: ZAP (CI), Burp Suite Pro (manual). IAST: Contrast Assess if budget allows. Run as PR-blocking only where signal-to-noise is high; otherwise informational + triage.
How do you handle a developer who keeps shipping vulns?
1:1 coaching first — identify if knowledge gap, time pressure, or framework issue. Pair on next PR. Provide secure-by-default library. If pattern persists, escalate to their manager with data. Avoid public shaming.
Explain Same-Origin Policy and CORS pitfalls.
SOP isolates scripts by (scheme, host, port). CORS relaxes for specific origins via Access-Control-Allow-Origin. Pitfalls: ACAO:* + ACAC:true is invalid; reflecting Origin without allow-list = wildcard; misconfigured preflight; pre-2017 IE quirks. Always allow-list explicit origins.
Walk me through fixing an XSS in a React app.
React auto-escapes JSX text. XSS usually comes from dangerouslySetInnerHTML, href={user-input}, or third-party libs rendering raw HTML. Fix: sanitise via DOMPurify, validate URL schemes, audit third-party renderers, CSP with nonce as defence in depth.
Tell me about a security control that engineers worked around. What did you do?
Behavioural. Show you diagnosed root cause (friction, lack of paved road, unclear ROI), iterated the control to reduce friction, won engineering trust back.
Usually a secure code review on a PR or short snippet. Sometimes a 'write a Semgrep rule' or 'fix this vuln' exercise.
Pick 2–3 (e.g. Node/Express + Python/Django + Go). Show transferable principles rather than memorised framework gotchas.
Naming shift in some firms; the work is the same. Senior AppSec = Product Security at Apple, Google, Meta.
Strong signal at junior; less weighted at senior (engineering judgement matters more than exploit count).
Run AI-graded mock interviews with panel personas and structured feedback.