Awesome AppSec Interview

A curated list of resources, practice questions, and study materials to help you prepare for Application Security Engineer interviews, organized by interview type.

Contents

• Interview Overview
• Secure Code Review
• Threat Modeling
• Coding & Scripting
• Scenario-Based Interviews
• Technical Knowledge
• System Design
• Behavioral Interviews (STAR)
• Related Resources
• Contributing
• License

Interview Overview

What to Expect

Most AppSec interview loops include a mix of:

• Secure Code Review
• Threat Modeling
• Coding or Scripting
• Scenario-Based Questions
• Technical Knowledge
• System Design (Senior+)
• Behavioral Interview

General Interview Tips

• Ask clarifying questions - Questions are intentionally vague to see how you think
• Think out loud - Verbalize your reasoning process
• Write down notes - Track requirements and constraints
• Show your approach - Process often matters more than perfect answers
• Don't rush to solutions - Explore the problem space first
• It's okay to not know everything - Show how you'd find the answer

Secure Code Review

What You’re Tested On

• Identifying vulnerabilities from code
• Following data flow (sources → sinks)
• Understanding exploitability
• Recommending pragmatic mitigations

Core Concepts

• OWASP Top 10 vulnerabilities and mitigations
• Language-specific vulnerability patterns
• Taint analysis and data flow
• Understanding the code

Learning Resources

• Code Review Lab - Interview style secure code review challenges
• OWASP WebGoat - Deliberately insecure application
• OWASP Code Review Guide
• OWASP Cheat Sheet Series
• PortSwigger Web Security Academy

Common Interview Questions

• Walk through this code and identify issues
• Why is this vulnerable (or not)?
• How would you exploit this?
• How would you fix it?

Threat Modeling

What You’re Tested On

• Structured thinking
• Identifying threats early
• Prioritization and trade-offs
• Communication with engineers

Core Concepts

• STRIDE - Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege
• 4 Questions framework
• Data Flow Diagrams (DFDs)
• Attack trees
• Trust boundaries
• Asset identification and threat prioritization
• Always cover the basics (eg using TLS for data in transit)

Learning Resources

Videos

• World’s Shortest Threat Modeling Course
• STRIDE in 20 Minutes

Reading

• Threat Modeling Beginner’s Guide
• Threat Modeling Modern Applications
• OWASP Threat Modeling

Books

• Threat Modeling: Designing for Security – Adam Shostack

Common Interview Questions

• Threat model a login flow / payment system / API
• How do you prioritize threats?
• Explain STRIDE
• Difference between threat modeling and pentesting?
• What are trust boundaries?

Coding & Scripting

Coding (Algorithms & DSA)

What You’re Tested On

• Problem-solving
• Data Structures

Core Concepts

• Arrays, hash maps, stacks, queues
• Trees and graphs (basic)
• Big-O reasoning
• Common patterns (two pointers, BFS/DFS)

Learning Resources

• LeetCode Interview Crash Course - Structured curriculum
• Practice Easy/Medium on LeetCode
• Focus on patterns: LeetCode Patterns
• NeetCode Roadmap - 150 essential problems
• NeetCode - Excellent explanations
• NeetCode YouTube Playlists
• Cracking the Coding Interview
• Grokking Algorithms

Recommended Problem Count

• Minimum: 50-75 Easy/Medium problems
• Comfortable: 100-150 problems covering all patterns
• Well-prepared: 200+ problems

Scripting & Automation

What You’re Tested On

• Practical automation
• Log and data parsing
• Security tooling familiarity

Core Concepts

• Log parsing - Extract IPs, domains, timestamps, user agents
• API interaction - Query security APIs, submit data
• Data transformation - JSON/XML/CSV parsing and manipulation
• Pattern matching - Regex for security indicators
• File operations - Read, parse, and process security data

Learning Resources

• Automate the Boring Stuff - Python fundamentals
• HackerRank Python Track - Practice Python basics
• HackerRank Regex Track - Pattern matching
• ExplainShell - Understand bash commands

Common Interview Questions

• Parse web server logs for suspicious activity
• Find patterns indicating scanning/enumeration
• Parse Nmap XML output and generate reports
• Aggregate results from multiple security tools
• Find all URLs/IPs/email addresses in text
• Basic port scanner
• HTTP header security checker
• Simple vulnerability scanner

Scenario-Based Interviews

What You’re Tested On

• Security judgment
• Communication
• Risk assessment
• Incident handling

Core Concepts

• Vulnerability triage
• CVSS and severity
• Incident response lifecycle
• Root cause analysis

Learning Resources

• Public Bug Bounty Write Ups
• Public post-mortem blog posts

Common Interview Questions

• Walk through a vulnerability you found
• How would you triage this report?
• Explain a recent CVE
• How does SSTI / XSS / SSRF work?

Technical Knowledge

What You’re Tested On

• Overall security knowledge
• Usually conducted by senior security engineer
• Will go into depth in one of these areas based on the role

Core Concepts

• Cryptography
  • Symmetric vs Asymmetric (When to use each)
  • Hashing
  • TLS/SSL (Handshake process)
  • PKI
  • Difference between encryption, encoding, hashing?
• Authentication & Authorization
  • MFA
  • Protocols (OAuth 2.0, SAML, JWT)
  • Session Management and attacks
  • Authorization Models (RBAC, ABAC, ACLs)
• Web Security
  • Core Vulnerabilities (OWASP Top 25)
  • Mitigation and mitigating factors for each one
  • HTTP Headers
  • CORS
  • Same-origin policy
• Cloud & Container Security
  • IAM best practices
  • Shared responsibility model
  • Container Security
  • Security implications of serverless
• Secure Architecture Principles
  • Defense in depth
  • Zero trust architecture
  • Least privilege
  • Fail securely
  • Security by default
  • Secure SDLC integration

Learning Resources

• Crypto101
• OWASP Cryptographic Storage
• OAuth 2.0 Simplified
• JWT.io
• OWASP Authentication Cheat Sheet
• AWS Security Best Practices
• Cloud Security Alliance
• PortSwigger Web Security Academy
• OWASP Top 10
• OWASP Testing Guide
• Secure by Design
• Security Engineering - Ross Anderson - Free
• OWASP SAMM
• NIST Cybersecurity Framework

System Design

What You’re Tested On

• Secure-by-design thinking
• Scalability + security trade-offs
• Real-world constraints

Core Concepts

• Auth at scale
• Rate limiting & abuse prevention
• Secrets management
• Audit logging
• Defense in depth

Learning Resources

• Grokking the System Design Interview
• Grokking Modern System Design
• ByteByteGo - Algorithms for System Design - Start here
• ByteByteGo - System Design Interviews
• NeetCode - System Design
• System Design Interview Vol 1 & 2
• Hacking the System Design Interview

Behavioral Interviews (STAR)

What You’re Tested On

• Ownership
• Influence
• Conflict handling
• Learning mindset

Core Concepts

• STAR Framework
  • Situation - Context and background
  • Task - Your specific responsibility
  • Action - What YOU did (be specific)
  • Result - Outcomes and lessons learned
• Prepare 5–7 stories
• Quantify impact
• Focus on your actions
• Show growth

Learning Resources

• Understanding the STAR interview format
• Tech Interview Handbook – Behavioral

Related Resources

Interview Prep

• Tech Interview Handbook
• Grace Nolan’s Notes

Awesome Lists

• awesome-security
• awesome-appsec

Contributing

Contributions are welcome! Just submit a PR!

Guidelines

• Add resources relevant to AppSec interviews
• Follow existing section structure
• Ensure links are stable and reputable