5 exercises — choose the best-structured answer to common Security Engineer interview questions focusing on AuthN/AuthZ, API protection, secrets management, and zero trust implementation.
Structure for Security Engineer answers
Tip 1: Always separate authentication (identity) from authorisation (permission)
Tip 2: Use "defence-in-depth" as a framing principle — name all layers
Tip 3: Give concrete attack examples (SSRF → AWS IMDS, XSS → cookie theft)
Tip 4: Name specific tools (Vault, OPA, Istio, IMDSv2) to demonstrate real-world experience
0 / 5 completed
1 / 5
The interviewer asks: "What is the difference between authentication and authorisation?" Which answer is most precise for a security engineering interview?
Option B is strongest because it defines both concepts precisely with their formal abbreviations (AuthN/AuthZ), names concrete mechanisms for each, explains the mandatory sequence, and identifies a real security vulnerability pattern. Key structure: AuthN=identity verification → AuthZ=permission check → sequence: AuthN before AuthZ → stolen token attack surface. Option A is wrong (authorisation has nothing to do with password strength). Options C and D are incorrect.
2 / 5
The interviewer asks: "How would you protect a REST API against common attacks?" Which answer demonstrates defence-in-depth thinking?
Option B is strongest because it systematically addresses all major attack surfaces in a layered model. Key structure: TLS → short-lived JWTs → RBAC → input validation → rate limiting → CORS → security headers → audit logging. Option A (API key + HTTPS) addresses only one layer. Option C (firewall only) does not protect against authenticated-user attacks. Option D (pen testing) is reactive, not proactive architecture.
3 / 5
The interviewer asks: "What is SSRF and how do you prevent it?" Which answer best demonstrates vulnerability knowledge?
Option B is strongest because it defines SSRF accurately, gives a concrete cloud exploitation example (AWS IMDS), and outlines a multi-layer prevention strategy. Key structure: definition → IMDS attack example → allowlist → egress proxy → redirect validation → IMDSv2. Option A confuses SSRF with certificate forgery. Option C confuses SSRF with XSS. Option D is incorrect (SSRF is unrelated to HTTP/HTTPS).
4 / 5
The interviewer asks: "How do you approach secrets management in a cloud-native environment?" Which answer demonstrates operational security maturity?
Option B is strongest because it describes a production-grade secrets management architecture: dedicated secrets manager, workload identity, sidecar injection, automatic rotation, audit logging, and least-privilege. Key structure: no-secrets-in-git → secrets manager → workload identity → sidecar injection → auto-rotation → audit → least-privilege. Option A (manifests + annual rotation) is a security anti-pattern. Option C stores secrets in a database (adds complexity without the rotation or workload identity benefits). Option D (.env file) does not scale.
5 / 5
The interviewer asks: "What is zero trust and how would you implement it for an engineering organisation?" Which answer demonstrates architectural maturity?
Option B is strongest because it correctly defines zero trust, explains the shift from perimeter to identity-centric security, and gives concrete implementation steps at each layer. Key structure: never-trust-always-verify → identity-based → micro-segmentation (mTLS) → device posture → continuous authorisation (OPA) → encrypted traffic → JIT access. Option A misunderstands zero trust entirely. Option C (firewall) describes perimeter security, the opposite of zero trust. Option D (VPN) is also a perimeter model.