Index · Interview talking points
1 min readRapid overview
Interview talking points
- "Security is built in, not bolted on" — name the lifecycle phases (design/build/deploy/run) and a concrete activity in each: threat modeling, SAST/SCA on PRs, hardened config-as-code, signed artifacts + SBOM, runtime monitoring.
- Explain why A04 Insecure Design is special: it's the absence of a control, so it can't be patched — the fix is threat modeling, abuse cases, and security requirements. Walk through STRIDE on a quick example (e.g., a password-reset flow).
- Distinguish A05 Misconfiguration ("the deployment is insecure") from A06 Components ("the libraries are insecure") — they're different root causes with different fixes (hardened baseline vs. SCA/patching).
- Tell the supply-chain story (SolarWinds, Log4Shell): A08 is about trusting code/updates without verifying integrity, and the build pipeline is now the crown jewel. Mention signing, SLSA/provenance, locked dependencies, and verifying update signatures.
- Give the SSRF answer crisply: server fetches an attacker-chosen URL → reaches internal/metadata
169.254.169.254→ credential theft (Capital One). Defense = allow-list + validate resolved IP + block redirects + egress firewall + IMDSv2. - Compare SAST/DAST/IAST/SCA on three axes: what they analyze, when they run, and their false-positive profile — and place them on a pipeline diagram (shift left).
- Articulate the two cross-cutting principles: secure-by-default (the safe option is the default) and defense-in-depth (layered, fail-closed) — and tie them to "blast radius."
- Close the loop with A09: prevention isn't perfect, so detection-and-response (logging, SIEM, alerting, IR plan) is the required safety net. Mention never logging secrets/PII.