Ep10: Top DevSecOps interview questions - level 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] foreign hello everybody welcome back in hecatec playground today this is a very special episode about interview questions and the basic questions that i was able to gather during the years on interviews and especially in my career in cyber security i was thinking that it would be good idea to deliver them back to you and tell you more about all of these questions and how it basically works and how is this is related to your passing rate to get the cyber security job i hope that you will get some information i will not disclose the answers for you your homework is to know and catch the answers and look at the internet google a little bit and find the answers that can help you to grow and basically sometimes you can be very surprised that even basic questions can catch your eye separated all the questions in three layers one is basic second is medium and third is hardcore or i will say more high the recognition or really tough questions that can be very very very hard even for experts years in the industry so this level one is are basic questions you cannot afford to lose them you cannot afford to not answer any of these questions that's the basic basically if you want to test somebody on other side for example you want to discuss how they behave during the interview if you will not answer correctly you can do it with medium or these high questions don't do that with the easy questions usually on the interviews what i'm doing is i'm testing the interviewers by not answering the question correctly or i'm testing them how they will react if the question is not what they expected because i can i will work with these people and i can recognize if they are good or bad persons how they treat me how they judge me how they react and how they see me as a person and even if they are able to say that's fine you didn't answer everything well if this is okay or if they behave yeah this guy is not good because he didn't know this answer so do it only with the medium or the high question so now i will disclose this 8-bit game for you and we'll go step by step through all the levels to beat our final boss on the interviews let's go so let's move i hope that you will enjoy all of these things during the session and here's the inventory that we need to prepare together before you will go to interview there is a preparation needed you need to basically have at least some github account or your github account this is good to put there your own personal private projects for example i was not able to put there any projects from my work because i worked mainly on the clothes software but for those who want to show their personal project their personal labs their personal setup or some if you have writes on game i put on my github some games or my labs or some homeworks that i did for other companies that will be really beneficial for you because it can spare you the discussion if you can code or not and even companies are sometimes so focused on the coding that they will tell you that's not enough even in security uh shared my github and gitlab account with several companies when i was interviewed and they still send me to 48 hours coding interviews or something like that so you need to be ready for that interview is a game it's not designed to test your real skills basically it's not testing what you know or what you don't know it's biased we all know that and to pass it you need to be ready to play the game for with the with the companies i was able to get to rate like to 90 percent of being accepted by companies when i'm doing interviews it's not all the time you will not be able to pass all the interviews don't be sad because sometimes there is bad chemistry sometimes this is just not the company for you you need to take it in account and there can be many reasons but this video will help you this game will help you to go through different obstacles next thing you need to energetically prepare for example when i was doing the 48 hours interview i really need to be ready for having 48 hours hands-on with the coding and preparation of tasks for the company which sends me the 10 different tasks this is really hardcore example you can have this kind of interviews in the best fortune 500 companies in silicon valley and you need to be really ready for it and so basically cup of coffee can can make you better even if you go physically i know that in this age of kobe that's really hard but if you go physically to interview it is good that you will ask for the cup of coffee to make yourself a little bit comfortable or water or tea whenever you like in preparations is important to have really well written cv or you can have for in the modern way you can have also your personal web page which will present your successes your projects so for me i don't think so that today is not necessary to have written cv in the doc or pdf you should have at least some kind of presentation which will be original and unique to you for example sometimes i'm preparing the videos for the companies to tell them why i want to work there why i think that this company is on the place or is the place that where i want to be where is this company and why i am really happy to be there why i really want to achieve it and then i send a private link through to youtube and they will watch it or not it's up to them but that can distinguish you so that's the first step that you need to do in this game of beating the interview process and i hope that you will enjoy this game this is our first enemy the preparation is the key and i will tell you more about the things like of asp which are the basic questions but before we will jump to odasp i will share with you on the browser my personal my personal august top 10 oh no no no no no top 10 my github account in my github account i have my fake lab for terraform i have there my file analyzer which i did for 45 when i was interviewed there uh did some forks of that interesting tools that i really like and also i put them my blockchain demo and some games that i built even though i'm preparing there's some devsicops talks but this is just under development so whenever you want to share and you want to prove to your future employer that you understand the matter you can put there the powershell scripts your forensic scripts even just mark down text with your notes for example if you pass on certification put it in markdown share it with the community and help them to reach it and basically the employer will see your behavior against the community and that you are trying to help so this is something what will be appreciated and i think that everyone will like it so one of the basic questions is what is ovasp and i was in interview position also and if somebody was not able to answer to me what is of asp and what about it is i know i am i'm just desperate and you should leave the interview right on the spot if you don't know that it's open web application security project but the catch is that wasp is not focusing only on the web application security you need to understand this and you need to understand what is the context and content of the office tools you at least you need to know of asp's app proxy you need to know secure code box this is one of the top notch projects that i'm now watching really carefully in uh of us pages and which tools from of us you use and they can ask you which tools you use in your company or which tools you are used to use what is your logging platform what is your favorite scripting language whenever but important point is that ovasp is not only web application security related again we will go to browser browser and i will show you more from what we can do in odasp which is what we can found there there is obasp mobile security testing guide which is not related to application security that is mobile security testing guy mobile application security requirements and verification standard which will help you to define the requirements and it's not related to web application and there are also another things like internet of things internet of things is not web application and there is lots of projects of us iot top 10 not only over stop 10 there is also wasp firmware security testing methodology i will click on it and you have lots of interesting methodological stuff which is not related to application security so do not answer to your employee that this is just an web application security project there is also the code review project which will help you to perform code review independently on the language and provide your methodology how to go through the code we never coded this if it is back-end front-end application it will help you a lot with source code review so keep this in mind and let's move forward with the presentation or more with our game so i hope that now it's clear what is of asp how you should answer how we should think about that when somebody is asking too if you will say this is just a web application project you are done you are just done on the spot so do not do this mistake and don't repeat the mistakes of others so move forward we have nice trolls troll bridge here which we need to pass and we need to be really careful how we will behave to not get eaten by these trolls so difference between tcp and udp you need to know that tcp is connection based protocol udp is connection less and it's not reliable tcp is reliable and providing you checksum and assurance of delivery if some packet is lost tcp will help you what you really need to know is also how the tcp handshake works and from top to bottom i really don't like if somebody's asking me what is the difference between tcp and udp and they think that i'm just an idiot but it's not about that uh if it is for junior position i understand that if it is for senior position i have serious concern about the interviewers why they are asking senior guys about this because there are other questions related to more the behavioral approach so the dcp and udp defense is the must you need to know that the tcp handshake is three-way handshake that there is a first syn packet or syn flag then you answer with sin and acknowledgement and the first host then answer back with acknowledgement that's the basic thing that you need to know you need to know the common ports if somebody will ask you about the dns about for example http https about the monitoring protocol email protocol ssh you need to know that when somebody will wake you up in the evening you need to be able to answer that my tip is in the morning before the interview check the common ports learn the basic ones understand the the common and the registered portal boards and know the scopes of registered and unregistered ports and the very tricky parts is packet datagram and frame frame is running on the physical layer datagram is related to udp protocol and packet is basically the name of the packet unit or the the unit sent through the network in the ip layer you need to know iso oc model from top to down if you are applying for the job and these questions are just the basic questions that are the basic ones that will help you to pass to the medium questions which are more hardcore and then to crazy questions that i will disclose in the next levels of this game and most tricky thing is what happens when you type example.com in google you need to understand what is dns how dns works what is the top level dns second level dns and how the encapsulation of this application layer works to the physical layer they will ask you for that and you need to understand the dns traffic how it how it works how basically the internet translates the ip addresses to the to the human readable names and there can be lots of other questions hidden like encapsulation on socket layer how it works on ip layer what happens if you have arp protocols all of these things are are like in the school yeah and i really don't like it also and if we will go forward i just put there some ports for you to to remember these sports you need to know you know even if you will be on siberia there will be snow against you you really need to be able to answer that but what i don't like is to create an interview in the exam like context this is not the exam that you didn't have option to prepare for that's what i don't like on today's interview because it's for sometimes it's it sounds for me do you know bell lapadula and similar modules it's like certification i feel like somebody is trying to test me from the certification exam and nobody gave me the notes to prepare for it nobody really gives me the opportunity to study the materials for the interview that's what i don't like and i know the frustration i know that you are there you are there somewhere and you are in the similar situation but with the sample preparation you are able to to at least be a little bit ready and you need to be prepared for everything they can ask you about pokemons whenever to test different behaviors they can put you on the stress factor but i will tell you about that in this video so if you will move forward a little bit through the bridge and to the next part of our level we have a nasty golem here and to basically move forward we need to know next questions what is penetration test what is vulnerability scan and difference between authentication authorization and accounting penetration test is a focused security audit or testing with a specific scenario description you need to know what is the pen test you need to know the specific scenario description and you need to know what is the scope of pentas it's a little bit narrow and this time slot is a little bit smaller than in red teaming redeeming is here is our company here our address scopes and try to get in use social engineering use any technique you like here are the borders where you need to move and it lasts for three months and then you report what you would and how you get it that's very different and vulnerability scan is about disclosing the vulnerabilities it's basically automated audit over several interests like hello hanging fruits and you you cherry-pick these low-hanging fruits without the exploitation without the specific scenario description and list these vulnerabilities to your employer customer or for your entity that you are working for authorization and authentication authentication is proof who you are proof your identity authorization is assigning your right access rights or role that you should have and access to the data that you should have or renting you keys that you should have or for example giving you access to specific networks it is very related to the zero trust so for example that's the question that they can ask you to what is the zero trust architecture that i know that this is a marketing term but lots of companies love it and they will ask you what is devops what is cloudification what is cloud native what is the vpc what is for example zero trust and lots of these things they can ask you and they will they will watch you what you say how you behave uh how you answer how you react how long you think about that lots of things can be observed on you and you need to be ready for it and also with this a and a principle is related another a is it's accounting which is basically logging so let's move forward we have another crew really bad thing that i see here that we need to pass there is some dark mage with some golems in the castle so i hope that we will be able to go through our hero is having a really hard time and i forgot to tell you our hero is us who are trying to find good job which we will like and will enjoy you need to know the difference between threat vulnerability and risk basic thing it's related to risk management everything in cyber security is spinning around the risk management you need to know that the risk is a probability that some threat will happen threat is event which will which will cause a threat or it's a occurrence of event which will cause some damage to you a vulnerability is lack of controls in your system and they can also ask you what's the difference between vulnerability and weakness that's that's something what you need to prepare for so also too and it's related to cv and cve so or c w e and c v e so common weaknesses and enumeration and common let's go sorry common weaknesses enumeration and common vulnerabilities and exposures so these things you need to basically be able to distinguish you need to know what is common vulnerability scoring system and the medium level question hit point here is what is the difference between version two and version one and basically that's something what you need to know what is siam what is sora what is sam so basically you know you need to know what is same security information evidence management or orchestration automation and response related to cyan and what is for example security event monitoring and how what is the logging and what is aggregation collaboration all of these things that are the basic level questions they can ask you about these terms what is tricky they can ask you about different tools like what port ping is running it is not running any on any port it works on icmp protocol which doesn't care about the port and you need to be able to answer this question they will ask you how traceroute works how dick works so basically different tools and they can ask you for the usage or netstat they will show you the netstat output and they will ask you what this tool is about you know it's i know that's tricky you are working with that why they are asking that if they are trying to make you you know fool or something like that but be ready for these questions i get them on the interviews and they will and uh sometimes even ask this this question too because if i've seen them somebody is lost i'm trying to help him especially in front of the manager because the managers sometimes are really picky and they're looking for the unicorn and i i really like to work with someone who is having potential who can learn fast and these questions can basically be helper not not some of these that i mentioned on this slide but for example what is of asp that can be a big helper so let's move forward in our game let's break some spells here and we are in the castle let's look it loose that there's some potion and i hope that we'll get it to make us stronger to survive this interviews some of the interviews they can last for three hours some of the interviews they can have or for example 48 hours toughest interview that i ever had was 48 hours of coding and fulfilling the expectation of somebody who basically was not able to describe me why i'm doing that and how it is related with the position so be ready for everything how does tcp handshake work i already told you what is a cross-site scripting i don't need to describe you that just check of us top 10 vulnerabilities and check the cross sign scripting basic injection of the script which is executed in the client browser and very important thing and that's the basic question that you can get is stored versus reflected stored injection basically injected javascript or any other injection which is saved in the local storage in the session storage in the database in no sql database and then basically displayed back to the users reflected is only user on user so basically inject it for example through open redirect and basically then you get the feedback of reflected cross-site scripting that's it and study that in details to be able to explain it to be able to paint it on some nice white board with the colors explain what is the difference between stored and reflected what is sql injection in sql injection in many contexts there are different types like blind sql uh procedural sql injection you just need to know that this is an injection into the sql statement in the applications which can which are always true if you will evaluate the value of the injection and they can give you for example the whole database they can give you because you can modify the commands in sql and the queries in the sql and get for example user database you can get admin of the database so lots of different things that are really hardcore with sql and for for me what i was for example presented there was a paper with injections and with the different like path traversal crossfire scripting there was a buffer overflow and they asked me name this they name these different injections or name these different vulnerabilities and you need to be ready for that this is a medium level question but i'm trying to give you some spoiler and trailer for the next next video so let's move forward through the castle yeah i won't think that we will pass it you will face the situation where you are exposed to the stress test stress test is something what i experience if there are two three or four people you can be sure that they are testing you how you behave in the group they will try to push you for example in my case they try to push me to the maximum level basically ask me what if what and what they've made well i don't care you know and they try to test me when i will say enough when i'm gonna say i have enough and i end this and they try to find the find my spot and i don't know why all these companies are trusted testing that it's more behavior testing but you need to be ready for this also there will be four people in front of you and they will test you for absolutely nonsense stuff they will ask you for example build and suck in five sentences and when you will not do that they will say i expected more and they are trying basically test your behavior so be ready for this also and as i'm saying interview is just a game is a game and you need to learn how to play this game with companies from the devsecops perspective you can get kubernetes question what is kubernetes spot minimal deployable unit or the problem for kubernetes workloads what is the master node that there is a scheduler and controller what is htcd that this is distributed key value database these things if you will not know that for the devsecops interview you are screw up what is pipeline and how it works what are the common stages of the pipeline what are the security stages of the pipeline that's the thing that you should study before you go to dev circle any devsecops interview and even nowadays the top-notch jobs if you will be not able to answer these questions you are not passing the basic trestle threshold you are not able to go through the basic questions and then there is a sas pass and ass software as a service you control just the software everything else is like a shadow for you and you don't have any control over that platform as a service is basically serverless you put your code in cloud and these questions are all related to cloud you put your cloud for example your docker container with your application or your just python script and lambda and everything else else is scared for you you don't need to care how it is done about the operating system you don't manage operating system it's managed for you an infrastructure as a service not something basically that you manage whole infrastructure you manage what is in the infrastructure you manage there are all balancers the firewall rules the security groups you just get a whole infrastructure and it is also very often related to infrastructure as a code next question is right from ssdlc what is the sas what is the test and sometimes what is interactive application security testing so be prepared for the question and description what is the static application security testing and what is dynamic application security testing and distinguish between two and be able to tell in which stage of the pipeline they are executed be ready to say what is docker what is docker layer and what is the docker life cycle and how it works and you can you can shrink it to what is microservice or what is the container they can ask you this abstract way and then you need to be able to ready what to answer to what is docker and how you describe it you know you work with that every day you know you deploy the request around the docker container you build the images but what it actually is and how it works there are little tricky tricky questions and they have the book in front of them and they are looking for you to get the answer that's that's crazy and sometimes you know say why you are asking me that if i can google that it's because it's a game simple stuff it's because this is a game so what is vpc and how it works they can ask you what is virtual private cloud in any cloud environment and what cloud you know if you work with gcp do you work with azure do you work with aws do you know what is s3 bucket and how you will secure it so for example simple question we are going to cloud our company is going to cloud how you will approach the securing of such an environment think twice yes that's something that you can be asking the basic questions because they will not ask you about any technical details they will just ask you about your approach that's something that they want to know so then you need to eliminate this step-by-step in the preparation for the interviews again it's not the certification that you didn't get the material for but some basic preps will always help i underestimated some of the preparations and basically didn't end it well so then move oh it looks that there is some nasty boss yes that's the thing that i wanted to talk about today it's a pinocchio effect pinocchio effect is something that i am not really happy about is that companies are lying to you in the job descriptions that's for sure because often they do not understand the requirement itself they do not understand what happens uh in the company and why they need it and there is something called pinocchio effect that can help you in the negotiation with your employer or future employer to recognize if there is a problem or not if they are lying or not because more they talk and more they are trying to advocate their own ideas they are trying to advocate what they are saying the longer they talk about the job and for example telling you that they have kuber tennis environment or something like that you see that they maybe do not understand that or maybe they wish to have somebody and you will be the first one who will help them or something like that but more they talk more they advocate their own situation they do not advocate it for you they advocate it for themselves so their nose is longer as more they lie and that's something that you can recognize as a lie recognition pattern so i hope now this will help you to understand what is pinocchio effect and it's actually a terminus techniques that really exists it's a pinocchio effect that people are trying to advocate something in front of themselves not in front of you and watch these people observe it and find the liars because then you can end in the job that you will not like because somebody promised you something which is absolutely up to the scope for example i worked for the company which outsourced almost 100 of their it and i see that there is no job for me so why do i hire me and they think that i will do the vendor management but i'm not the vendor manager i'm a technician i'm an engineer i'm an architect that's who i am who i will be and who i want to be i want to create better better world with technology that's very simple and i hope that you are the same and maybe you want to make money you want to pay a mortgage but our job is some it's a place where we spend eight hours per day and i really don't want to spend eight hours per day in the place which doesn't matter with people who really don't like me or who lie to me so let's build a trap for them there's nice lever and i hope pinocchio bye bye now he's trapped and i hope that our final boss is is out but the questions are still here we need to understand what is the symmetric and asymmetric cryptography you need to know in symmetric you have one key and there is a problem of exchanging this key and you need to be able to describe this key in asymmetric cryptography you need to understand there is a private and public key and the public key is used often for encryption and private key for decryption so this key pair is used in this asymmetric cryptographic and also you can get the question about what is dv hellman handshake very simple but sometimes we forget about that what is the pki public key infrastructure what is the certificate authority and what is intermediate authority and if you are in the another like closer to medium level of these questions they can ask you how you will build a multi-region certificate authority in cloud that's the question that i get how you will do that in aws yes it's hard because you need to you know a little bit investigate that you need to check do you need one certificate authority for multi-region or one certificate authority in every region that's the question just do your homework and test if you really know all these questions then you can name some symmetric algorithms they can ask you okay the symmetric algorithm what is that it's a triple dash it's a s or any other rc4 or asymmetric algorithms rc4 oh sorry uh rsa and electro elliptic curve base cryptography are you able to name at least a few of them or they can ask you please can you name several hash functions what is hash that's that's the question that i really hate most what is hash you know we all know that this is one directional function and then you say yeah i know as a sha 256 you know md5 and i was on the interview there was a guy until he told me and and what man do you know something else yeah there's then because of that i'll say okay i didn't have anything in my mind then i find blake three as very interesting uh with interesting hash function and i recommend to you to check it too there's a new version from january of this year and then after that this guide he asked me what is salt versus pepper and i say okay i know what is salt it's a random random random number or random value assigned to hash to to make it like prove resistant against the rainbow tables but then i forget what's paper pepper uh really didn't hear it for a long time and i realized that the pepper that i was not able to properly describe it so do your homework and check what's the difference between salt and pepper i will not tell you that today and i will let it on you to check it on the internet to a little bit do your own research and please put in comments what is your answer for for these questions and what is the most trickiest question for you don't be afraid and we can move to win the heckitect coin for our first level it's not the end pinocchio was just a small boss this is not our final boss and these questions are the most basic thing that you can get on interview it can be even harder and it can be even worse and your head will spin up from the questions that you can get so that's not the end thank you for watching i hope that you enjoyed this special episode i hope that you like my pixelmate graphics i'm not hiring any artist i just found this weekend that this is really great way how to relax and for this presentation i was i was biscuit for creating this great animated gifs so thank you and bye bye

Info

Channel: Hackitect's playground

Views: 1,155

Rating: 4.891892 out of 5

Keywords: aws, devsecops, interview, šottl, cybersecurity, cyber, questions, 8bit, game, encryption, security, itsecurity, howto, job, ITjob, learning, cloud, hackitect, vpc, fantasy, tcp, udp, networking, devops, pipeline

Id: l4ZtwahYjTA

Channel Id: undefined

Length: 35min 52sec (2152 seconds)

Published: Wed Nov 18 2020