InterviewStack.io LogoInterviewStack.io

Secure Coding and Application Security Questions

Covers the principles and practices for building and maintaining secure software throughout the secure software development lifecycle. Topics include secure coding patterns, common vulnerabilities and mitigations such as injection, cross site scripting, insecure deserialization, broken authentication and authorization, improper error handling, and insecure configuration. Includes threat modeling, secrets management, dependency and supply chain hygiene, vulnerability and patch management, and principles of least privilege and defense in depth. Covers code level controls such as input validation and output encoding, use of vetted libraries, avoiding dangerous custom cryptography, and guarding against side channel and timing attacks. Also covers security activities and tools including code review best practices, static application security testing, dynamic application security testing, interactive application security testing, dependency scanning, and how to integrate security testing and gates into continuous integration and continuous delivery pipelines to improve application security maturity.

HardTechnical
38 practiced
Design an automated vulnerability prioritization algorithm for SREs that combines CVSS, evidence of exploit, service criticality, SLO impact (error budget consumption), and whether the vulnerable component is present in production. Describe data inputs, scoring, and how the output integrates with ticketing and deployment workflows.
EasyTechnical
68 practiced
Define a software supply chain attack and describe immediate and ongoing controls an SRE team should implement to reduce risk from third-party dependencies. Include SBOM generation, dependency pinning, artifact signing, private registries, and build isolation in your answer.
EasyTechnical
40 practiced
Discuss how static-typed versus dynamic-typed languages impact injection vulnerabilities. Regardless of language, propose a set of runtime defenses and operational controls an SRE team can apply to reduce injection risk across heterogeneous services.
HardSystem Design
45 practiced
Design defense-in-depth for an internal administrative portal used by SREs and engineers. Cover authentication (MFA), network segmentation, privileged access workstations (PAW), just-in-time access, audit logging, session management, and break-glass emergency access. Explain how each control reduces risk.
MediumTechnical
35 practiced
For a Java web application in production, propose a runtime application self-protection (RASP) strategy to detect and prevent SQL injection and insecure deserialization with minimal performance impact. Explain instrumentation points, sampling, response actions, and trade-offs.

Unlock Full Question Bank

Get access to hundreds of Secure Coding and Application Security interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.