I interviewed as a Security Engineer at tech giants, here's what I learnt



It all started when I was still in university and developed a prominent interest in web application security that I aspired to get into one of the tech giants(GAFAM companies), but it wasn't until I had already spent 2yrs in the industry, that I finally got a chance to interview at Microsoft, Amazon & Facebook.

I had started my career doing bug bounties and the positions I got the interviews for were closely related to Web Application Security. To prepare for these interviews I made sure I knew every sophisticated payload out there, I even went to the extent that i started reading research papers to learn what more complex things I could do with very rare vulnerabilities such as RPO based XSS etc

With those skills, I was pretty confident that I will be able to crack the interviews, Guess how those interviews went? I failed Microsoft in screening round and Amazon, Facebook in Onsite round. The interviews were completely different from the interviews I had done before, that was the time when I realized that I had made a lot of assumptions and those lead me to the failure.

I have compiled a list of assumptions I had before interviewing at these companies and what I learnt from my failures if you aspire to get into one of the GAFAM companies you can definitely learn from the experiences I had and avoid making the same mistakes




#1.  I am interviewing for offensive security role, I do not need to know about defense

Even though you're interviewing for a pentester role, you will still be asked about vulnerability mitigation & remediation. Interviewing for offensive security role is no excuse for not knowing about the defensive side of things and vice-versa

#2.  I need to know complex payloads & wizard level attack techniques

You'll almost never get interviewed for complex stuff. . . unless you bring it up. Your interviews will mostly constitute of open-ended questions which will be asked to explore your breadth & depth of knowledge.

e.g ., Question: How would you stop malicious bots from attacking your website (Not an actual interview question)
Answer: You can talk about the attacks originating from bot traffic: credential stuffing, data scraping, and DDoS attacks. Then you could go in-depth and talk about various types of DDOS attacks, NTP based amplified DDOS attack exploits monlist command & finally talk about how you would stop these attacks.

If you answer in this way you can show that you understand the different types of attacks (breadth of knowledge) and you also understand the specific technicalities of attacks (depth of knowledge)

To excel in these interviews it's better to build overall cyber security knowledge along with the knowledge of common vulnerabilities, being asked to come up with a payload to exploit a very rare vulnerability is not a norm.

#3.  It's all about having Cyber Security skills

It might sound counter-intuitive but Cyber Security constitutes less than 50% of the overall interview domains, being good in cyber security only won't be sufficient to get you through the interview process.

Some of the other domains you need to know might be:
  • Networking Fundamentals - (OSI, DMZ, Firewalls, DNS)
  • Competitive Programming - (Optimized Solution, Calculating Space & time complexities)
  • Code Review - (Ability to read someone's code)
  • System Design - (More details later in the post)

#4.  I am not interviewing for a dev role,  I don't need to know Competitive Programming

While the majority of the companies might not ask you to solve Competitive Programming questions, there are still few which will ask you. For instance 3 of my interviews (2 screening & 1 onsite) @ Facebook were pure competitive programming interviews.

The expectation out of this interview is that you should be able to solve easy-medium level competitive programming questions, find optimized solution, space/time complexities and be able to implement the most basic data structures like Sets, Lists, Hash Map etc.

It's very difficult to build these skills overnight, you should definitely check if your dream company requires you to possess this skill set.

#5.  Security design interviews should be easy to clear

When I found Security Design in my onsite interview schedule @Amazon I searched online a little and didn't find much resources about this topic, so I assumed that I would be asked about WAF, IDS, Encryption etc, like the basic things you need to make a network architecture secure.

During my interview I was asked to come up with the architecture of a particular type of website, I did it, I made a server, a database and an API gateway, connected all of them together and a cherry on top, I even added a WAF, BoOm!! (it's big brain time). I felt the interview was too easy, but I was not even close, I just missed meeting expectations of that interview by a couple light-years.

In reality, Security Design interview is a System Design interview with security as a focus area. To get a taste of what a system design interview looks like, you should look at this video.

But to summarize, you need to know:
  • Data Structures (How would you build an Uber like app? heard about QuadTree Data structure?)
  • Tradeoffs (Why would you pick a NoSQL DB in comparison to Relational DB?)
  • Concepts (Consistent Hashing, CAP Theorem etc)
  • Scaling Strategies (How to vertically & horizontally scale a design, what sharding strategy would you define?)
Another interesting, type of security design interview is the one where you'll be given a half-done design and a predefined set of goals. Your interviewer will ask you to add new things and make the design work in such a way that it meets the predefined goals.

#6.  Behavioral interviews are a piece of cake

They are not, your behavioral interviews can last anywhere from 40 mins to 1 whole day (In Amazon all onsite tech interviews are 50% tech and 50% behavioral), during these interviews you will be asked about your past experiences, you should prepare enough examples to last you through 40 mins or 1 day.

These interviews are also the most important one's; if you fail this then regardless of how good your technical rounds went you will still be rejected. The recommended way to answer these questions is to follow STAR methodology, if you haven't heard about it before, you should definitely check it out.

In a nutshell, behavioral interviews can't be taken for granted and definitely need some prior preparation.

#7.  The interviewer is interviewing to find flaws & weaknesses

It may come as a surprise but interviewers at these companies would actually want you to perform well in the interviews, with most of these companies you would have a Prep call, where they will walk you through the interview process & tell you what to expect during the interview. Some of the companies would even go to an extent where they will buy you an online course to prepare for the interviews better.

I can't explain this with facts & metrics, but if you change your perspective from "interviewer is interviewing you to find your flaws" to "interviewer is interviewing you to succeed" you'll be more comfortable giving the interview; this works like magic there's no explanation to that.

Finally, if you have an upcoming interview all the best :) Or if you're in the process of preparing for the interviews here are some good resources I found Security Engineering at Google: My Interview Study Notes and My experience with Google interview for information security engineer.







Amit Sangra

Author & Editor

Amit is a Security Engineer acknowledged by Google, Apple, Microsoft, eBay, Intel and other top companies for reporting security issues in their web services.

2 comments:

 
biz.