InterviewStack.io LogoInterviewStack.io

Secure Coding and Application Security Questions

Covers the principles and practices for building and maintaining secure software throughout the secure software development lifecycle. Topics include secure coding patterns, common vulnerabilities and mitigations such as injection, cross site scripting, insecure deserialization, broken authentication and authorization, improper error handling, and insecure configuration. Includes threat modeling, secrets management, dependency and supply chain hygiene, vulnerability and patch management, and principles of least privilege and defense in depth. Covers code level controls such as input validation and output encoding, use of vetted libraries, avoiding dangerous custom cryptography, and guarding against side channel and timing attacks. Also covers security activities and tools including code review best practices, static application security testing, dynamic application security testing, interactive application security testing, dependency scanning, and how to integrate security testing and gates into continuous integration and continuous delivery pipelines to improve application security maturity.

HardTechnical
46 practiced
You must threat-model a new serverless payment-processing function: it retrieves secrets from a store, calls external payment gateways, and writes results to a DB. Produce a concise threat-model output: (A) a textual data-flow summary, (B) the top five threats ranked by risk, and (C) prioritized mitigations that fit a compliance-minded but agile team.
HardTechnical
58 practiced
Design an approach to integrate Interactive Application Security Testing (IAST) into integration and system tests for a complex monolith. Cover agent instrumentation, performance impact, selective test coverage to reduce noise, how findings will be triaged and surfaced to developers, and strategies to reduce false positives.
HardTechnical
35 practiced
You have a growing backlog of high-volume SAST and DAST findings across many teams but limited security engineering bandwidth. Design a remediation program including triage/prioritization, automated suppression for accepted and documented risks, developer incentives (training/bug-bounty/credits), a security champions model, and metrics to track mean-time-to-remediate and program health.
MediumTechnical
40 practiced
Provide pseudocode or a short Java example showing safe deserialization practices with Jackson or core Java: include whitelisting allowed types, limiting input size, and avoiding polymorphic type resolution. Explain why each step mitigates deserialization attacks.
EasyTechnical
37 practiced
Explain the principle of least privilege and describe three concrete ways you would apply it for a new REST API and its deployment environment (examples: IAM roles for services, database credentials, container runtime capabilities). For each way, include how you would validate the control and a monitoring signal that would indicate it is misconfigured.

Unlock Full Question Bank

Get access to hundreds of Secure Coding and Application Security interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.