Skip to content
PersonalNotes

Common Interview Questions

Easy

What is authentication vs authorization?

Authentication verifies who a user is, usually via credentials like passwords, tokens, or certificates. Authorization determines what an authenticated user is allowed to access or perform. Authentication happens first; authorization depends on its result.

What is HTTPS and why is it important?

HTTPS is HTTP layered over TLS to encrypt communication between client and server. It protects against eavesdropping, tampering, and man-in-the-middle attacks. It also provides server identity verification via certificates.

What is hashing and how is it different from encryption?

Hashing is a one-way transformation that produces a fixed-length digest from input data. It cannot be reversed, unlike encryption which is designed to be decrypted. Hashing is commonly used for password storage and data integrity.

What is a firewall?

A firewall filters incoming and outgoing network traffic based on predefined rules. It helps prevent unauthorized access to or from a private network. Firewalls can be network-based, host-based, or cloud-managed.

What is SQL injection?

SQL injection occurs when untrusted input is concatenated into SQL queries. Attackers can manipulate queries to read, modify, or delete data. Parameterized queries and input validation prevent this.

What is the principle of least privilege?

Least privilege means granting users and services only the permissions they need to perform their tasks. This reduces the blast radius of compromised accounts or bugs. Permissions should be reviewed and minimized regularly.

What is a vulnerability vs a threat vs a risk?

A vulnerability is a weakness in a system. A threat is something that can exploit that weakness. Risk is the likelihood and impact of a threat exploiting a vulnerability.

What is a secure password policy?

A secure password policy enforces minimum length, complexity, and uniqueness. It discourages reuse and may require periodic rotation based on risk. Passwords should be stored using slow, salted hashing algorithms.

What is Cross-Site Scripting (XSS)?

XSS allows attackers to inject malicious scripts into web pages viewed by other users. It can steal cookies, perform actions as the user, or redirect traffic. Output encoding and Content Security Policy mitigate XSS.

What is multi-factor authentication (MFA)?

MFA requires two or more independent factors such as something you know, have, or are. It significantly reduces account takeover risk. Even if a password is compromised, the attacker still needs the second factor.

Medium

How does TLS establish a secure connection?

TLS uses a handshake to negotiate cryptographic parameters and authenticate the server using certificates. A shared symmetric key is derived using asymmetric cryptography. Subsequent traffic is encrypted using fast symmetric encryption.

Why should passwords be hashed with salt and a slow algorithm?

Salt prevents precomputed rainbow table attacks and ensures identical passwords hash differently. Slow algorithms like bcrypt, scrypt, or Argon2 increase the cost of brute-force attacks. This significantly raises the attacker’s required resources.

What is CSRF and how is it prevented?

CSRF tricks a user’s browser into making unintended authenticated requests. It is prevented using CSRF tokens, same-site cookies, and origin validation. Idempotent operations should not cause state changes.

What is role-based access control (RBAC)?

RBAC assigns permissions to roles instead of individual users. Users inherit permissions by being assigned to roles. This simplifies management and reduces configuration errors.

How do API authentication tokens differ from session cookies?

Tokens are typically stateless and sent explicitly in headers. Cookies are often managed by browsers and tied to server-side sessions. Tokens scale better for distributed systems but require careful storage on clients.

What is a man-in-the-middle attack?

An attacker intercepts and possibly alters communication between two parties. This can occur on unsecured networks or with forged certificates. TLS with certificate validation mitigates this risk.

What is input validation vs output encoding?

Input validation ensures incoming data conforms to expected formats. Output encoding ensures data is safely rendered in a target context like HTML or SQL. Both are needed because validation alone cannot guarantee safety.

How does OAuth differ from traditional login?

OAuth delegates authorization without sharing user credentials with third parties. The client receives scoped access tokens instead of passwords. It reduces credential exposure and improves interoperability.

What is secret management and why is it important?

Secret management securely stores and rotates credentials, keys, and tokens. Hardcoding secrets increases leakage risk through logs or repositories. Centralized secret stores enable auditing and access control.

What is rate limiting used for in security?

Rate limiting restricts how many requests a client can make in a time window. It mitigates brute-force attacks, scraping, and denial-of-service attempts. It also protects backend capacity.

Hard

How would you design a secure authentication system for a distributed service?

Use centralized identity with short-lived tokens and refresh mechanisms. Enforce MFA, secure password hashing, and strong TLS everywhere. Include monitoring, revocation, and anomaly detection.

What are the trade-offs between symmetric and asymmetric encryption?

Symmetric encryption is fast and efficient for large data volumes. Asymmetric encryption simplifies key distribution but is computationally expensive. Systems often combine both in hybrid schemes.

How do you secure data at rest and in transit in a cloud system?

Encrypt data at rest using managed key services and strict IAM policies. Encrypt data in transit using TLS with strong cipher suites. Rotate keys and audit access continuously.

How can privilege escalation vulnerabilities occur in applications?

They occur when authorization checks are missing, inconsistent, or bypassable. Insecure defaults or shared service accounts can also enable escalation. Regular permission audits and defense-in-depth reduce risk.

How would you detect and respond to a security breach?

Use logging, metrics, and alerting to detect anomalies quickly. Isolate affected systems, revoke credentials, and preserve evidence. Perform root cause analysis and remediation.

What is zero trust architecture?

Zero trust assumes no implicit trust inside or outside the network perimeter. Every request is authenticated, authorized, and continuously evaluated. It reduces lateral movement during breaches.

How do you mitigate supply chain attacks in software?

Pin dependencies, verify signatures, and use reproducible builds. Monitor for vulnerable or malicious packages. Limit build system privileges and isolate pipelines.

What are side-channel attacks and why are they hard to prevent?

They exploit timing, power, or memory access patterns instead of direct vulnerabilities. They can leak secrets even from correct implementations. Mitigation requires constant-time algorithms and hardware support.

How would you design a secure key management lifecycle?

Generate keys using strong entropy sources and store them in hardened systems. Enforce rotation, access control, and audit logging. Retire and destroy keys securely when no longer needed.

How do you balance security with system usability and performance?

Overly strict controls reduce productivity and increase workarounds. Security controls should be risk-based and automated where possible. Measure impact and iterate continuously.