Security Engineer Interview Questions

Security Engineer Interview Questions

"When hiring a security engineer, employers want to make sure they select candidates who have the technical knowledge of information security software and hardware to ensure their data will be kept safe in the event of a disaster, whether it be an earthquake or a hacker attack. Before attending an interview for this position, prepare to answer a lot of technical questions that will determine the extent of your understanding of information security systems and how they can be used to protect important data."

3,432 Security Engineer interview questions shared by candidates

Top Interview Questions

Sort: Relevance|Popular|Date
American Institutes for Research
Senior Cyber Security Engineer was asked...July 28, 2015

What sort of anomalies would you look for to identify a compromised system?

1 Answers

I used a whiteboard to draw out a basic network architecture including security technologies like IPS/IDS, Firewalls, AV, etc, and described the type of traffic and logs I could use to identify a compromised system. Less

The Home Depot

Describe the differences between symmetric and asymmetric encryption, and scenarios where one is more appropriate then the other.

1 Answers

Not that difficult if you understand symmetric (private key) vs. asymmetric encryption (public key). Less

Bank of America

I was asked about XSS, SQL Injection, Tools I have used for pen testing.

1 Answers

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. - SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). Less

NTT Ltd.

During the technical interview, the second interview asked, "How would you configure trace route in a cisco firewall for a group of windows users?" I repeated the question to make sure I heard it correctly, and he responded with, "Windows fundamentally handles trace route differently than Unix does."

6 Answers

It's unfortunate that the way you were dismissed was a little bit unprofessional and seemingly misinformed. Also, in fairness, it's probably never a good idea to tell a candidate that they're "just average", even in cases where they really are. For what it's worth, I'd like to apologize on behalf of DD (as much as I'm technically allowed to do so) for the way it was handled. However, regarding the original point, the interview itself is specifically designed to fluster you. We actually expect most people to get this particular question wrong. The idea is not for us to see if you know it all but more specifically how you deal with questions you don't know the answer to. (Bonus points if you DO know, obviously.) We certainly don't expect candidates to know everything offhand, we just like to see whether or not you're going to try to BS your way through an answer. Since I wasn't on this particular call, I have no idea how it went for you but I can guarantee that the decision wasn't based on this question alone but was more likely an overall view of your skills based on all of your answers. I do realize that it's no picnic when you're on the phone but for the most part, they do try to take that into consideration. (I was hired over the phone as well, all the way from South Africa.) Less

I do understand what you have said, and I greatly appreciate the apology. I was very excited about this opportunity. I believe based off my experience and my knowledge of the position that I would have been a great asset to the team. I honestly do not know why the engineers I interviewed with or the recruiter would have felt the way the recruiter did. I know that the engineers I spoke with told me that the recruiter would call me with the next steps and I answered every question that they asked, except the afore mentioned question. The following link is my linkedin profile ( This is about all I can say. I was excited and looking forward to the opportunity, but obviously I was not considered. Thank you for your time, response, and consideration. I wish you the best. Less

In window you use tracert which works with icmp echo and reply message and in cisco environment you use traceroute command undp as well as icmp. But you have to configure for firewall to allow icmp replies Less

Show More Responses

Write a function that can determine if an input number is a power of 2.

4 Answers

Indeed, it is as the previous poster stated. Quite simple -- my initial thought would have been repeated division by 2 looking for a remainder, but that is much heavier lifting. int is_power_of_2 (int val) { if (!(val & val -1)) { return 1; // val is a power of 2 } else { return 0; } } Less

Multiple answers. Powers of 2 only have a single 1's bit, rest will be 0's. Use that fact. X (LOGICAL AND) (X - 1) = 0 i.f.f. is a power of 2. Less

Sure, but every number is a power of 2, or a sum of powers of 2. For example, 16 is (2^4), and 33 is (2^5 + 2^0). If we want to just see if it is divisible, like Brian mentions, well, modulus operator works fine, but I don't think that is entirely the jist of the question. (X % 2) = 0 => divisible by 2, but not necessarily a power of 2, but in stead a sum of powers of 2. Less

Show More Responses

Given a router with a 50 character randomly generated password. how would you gain access to the router?

4 Answers

The second part of the above answer from Krazilee seems wrong. Let's say each character has 94 options (26 upper and 26 lower case letters; 10 digits; 22 special characters). Then the number of permutations for a 50 character randomly generated password is 94^50 = 4.5e98. If your script could check 1 trillion combinations per second, it would take 1.5e79 years to try them all. Even limiting each option to 26 lower case letters it would take 1.8e51 years at this speed. Less

You have to ask clarifying questions on this. Who owns the device? Where is it located? What type of device is it? If the company owns the device, then perform a password reset on it. The process various depending upon the manufacturer of the device. Second, if you have physical access to the device, this makes recovery easier. Third, if it's a router that uses weak encryption and the configurations are backed up automatically, you can run a no-decrypt to retrieve the password. Like cisco password 7. Furthermore, if the system is automatically backed up, and the process is done via this service account logging into the device, you can use this service account to reset the root if it has access to do so. In a secure environment (if the device is hardened appropriately) this will also be impossible. Lastly, you could do a brute force or use rainbow tables, but that is probably not the best idea. Especially if account lock outs and throttling logins by source happen, then you'll have to script differently. To summarize, ask clarifying questions and the point of this question is to understand how you critically think. This question challenges you from a technical ability perspective as well as being efficient with your time. Less

Don’t try to get a successful authentication from the device itself, instead determinate on your use cases hit the human layer, pop their endpoints or go after RADIUS or whatever other AAA they are using, or simply exploit the host if it is open to the web and can be cracked. Less

Show More Responses

They asked me about Linux OS.

4 Answers


I want a job

If can you help me to get it

Show More Responses

Can two files generate same checksum?

4 Answers

Yes, Hash Collisions.

Can you elaborate more questions


Show More Responses

what is an advantage of a domain?

4 Answers

On the contrary, that question can only be understood by an applicant who knows that “Domain” here refers to applying the ISO 27001 standard. It has nothing to do with your website. Less

Central management and organization of a group of devices, users, and resources.

This question was obviously asked by someone who knows nothing about security. What is an advantage of a domain? What type of domain were they asking about? Physical? The name in a DNS? A logically separated environment? You are lucky you were not hired. The VP in charge is unethical and intolerable. Most people there don't like or trust him but he is protected by the COO. Less

Show More Responses

what is volatile, static ? how would it affect if the static keyword used for big array inside a function? what are sections of memory and what kind of variable is stored where?

3 Answers

Just clarify one thing, the static variables within a function are not allocated to the function or thread's stack, instead, they are allocated to BSS area, just like other global variables. so it won't affect their function too much. Less

static variable is not stored on stack.

if Volatile used then the compiler dont consider to optimize that variable . Assume that a variable changed at the time of running . But some compiler optimized .to avoid that we use volatile. Static is the keyword which is used to initialized to once that means extra burden for a compiler to keep the variable .and permanantly allocate space in stack.if you diclare static array then stack overflow will occur. Less

Viewing 1 - 10 of 3,432 interview questions

See Interview Questions for Similar Jobs

malware analystnetwork engineersecurity consultantsecurity administratorsecurity analystsecurity specialistsecurity program managersecurity researchersecurity architectpenetration tester

Glassdoor has 3,432 interview questions and reports from Security engineer interviews. Prepare for your interview. Get hired. Love your job.