AWS AppSec CheatSheet/Prep

1. AppSec Interview questions
2. ______________
3.  
4. https://github.com/security-prince/Application-Security-Engineer-Interview-Questions
5.  
6. https://wiki.owasp.org/index.php/Reviewing_Code_for_Data_Validation code rev
7.  
8.  
9. Books To Read
10. ————————————
11. Microservices Security in Action - Prabath Siriwardena and Nuwan Dias
12. API Security in Action by Neil Madden
13. Threat Modeling Designing for Security by Adam Shostack
14. The tangled Web a guide to securing modern Web applications by Michal Zalewski
15. The Hacker Playbook 3 Practical Guide to Penetration Testing by Peter Kim
16. Black hat Python  Python programming for hackers and pentesters by Seitz, Justin
17. The web application hacker’s handbook finding and exploiting security flaws by Dafydd Stuttard, Marcus Pinto
18. Securing Devops Safe Services in the Cloud by Julien Vehent
19.  
20.  
21. threat modelling / Code Review
22. ——————
23. https://computer.howstuffworks.com/vpn.htm
24.  
25. https://www.youtube.com/watch?v=DJ41leCuUm0 -
26.  
27. https://www.youtube.com/watch?v=-LL4IE663ng -
28.  
29. https://www.youtube.com/watch?v=Kepd1HsoE8o -
30.  
31. https://www.youtube.com/c/CyberSecurityTV/videos
32.  
33. https://pycharm-security.readthedocs.io/en/latest/checks/index.html
34.  
35. https://www.youtube.com/watch?v=eQ1I0wzS8p0&t=3607s - code review
36.  
37. owasp.trendmicro.com
38.  
39. rules.sonarsource.com
40.  
41.  
42.  
43.  
44. Security Concepts
45. ___________________
46.  
47. https://www.youtube.com/watch?v=heacxYUnFHA&t=663s - Cert Auth / Chain Of Trust
48.  
49. https://www.youtube.com/watch?v=qXLD2UHq2vk - Digital Certs
50.  
51. https://cwe.mitre.org/data/definitions/89.html SQL inj
52.  
53. https://www.youtube.com/watch?v=mjQ2klZ0NQo - ssrf
54.  
55. https://www.youtube.com/watch?v=nTCDQ0UmFgE&t=844s
56.  
57. https://www.youtube.com/watch?v=2YD4vygeghM&t=278s - xss
58.  
59. https://www.youtube.com/watch?v=ijalD2NkRFg - api security
60.  
61. https://www.youtube.com/watch?v=zTkv_9ChVPY - api security
62.  
63. https://www.youtube.com/watch?v=aQGbYfalRTA&t=1179s - better api sec
64.  
65. https://www.youtube.com/watch?v=5UTHUZ3NGfw&t=3234s - more api sec lol
66.  
67. https://www.youtube.com/watch?v=qqmyAxfGV9c - practical api sec
68.  
69. https://www.youtube.com/watch?v=27i_husVE1I&t=8506s - ceh
70.  
71. https://www.youtube.com/watch?v=jwzeJU_62IQ&t=35s - just check out his channel
72.  
73. https://www.youtube.com/watch?v=plv7PQZICCM - aws kms
74.  
75. https://www.youtube.com/watch?v=KGy_KCRUGd4&t=2565s - threat modelling
76.  
77. https://www.youtube.com/watch?v=-LL4IE663ng - some more threat modelling
78.  
79. https://www.youtube.com/watch?v=HnoZS5jj7pk&t=2467s - aws ddos
80.  
81. https://www.youtube.com/watch?v=ClWw1znEUqI - threat modelling
82.  
83. https://www.youtube.com/watch?v=We2cy8JwVqc&t=885s - excellent threat modelling
84.  
85. https://www.youtube.com/watch?v=l4GtDZZFcA8 - mobile threat modelling
86.  
87. https://www.youtube.com/watch?v=v0IsYNDMV7A&t=2391s - crypto stuff
88.  
89. https://www.youtube.com/watch?v=lLeKTVobxDM&t=1763s - oauth
90.  
91. https://www.youtube.com/watch?v=0VWkQMr7r_c&t=3624s - oauth
92.  
93. https://www.youtube.com/watch?v=sovAIX4doOE&t=2s - HTTP cookies
94.  
95. https://www.youtube.com/watch?v=SvppXbpv-5k&t=4s - saml2
96.  
97. https://www.youtube.com/watch?v=rTzlF-U9Y6Y - openid
98.  
99. https://www.youtube.com/watch?v=Tcvsefz5DmA - id mgmt
100.  
101. https://www.youtube.com/watch?v=89mJSz5HVLA - just some nice chill music from cash carti
102.  
103. https://www.youtube.com/watch?v=iYM2zFP3Zn0 - http crash course
104.  
105. https://www.youtube.com/watch?v=UObINRj2EGY - get vs post
106.  
107. https://www.youtube.com/watch?v=NEKImNnYB70&t=1130s - get vs post
108.  
109. https://www.youtube.com/watch?v=2Nt-ZrNP22A&t=1604s - web socket
110.  
111. https://www.youtube.com/watch?v=pdC3H8SX-F4 - owasp attacks
112.  
113. https://www.youtube.com/watch?v=2EyfgogwbyI - security vulns in java
114.  
115.  
116. https://certificate.transparency.dev/howctworks/ - Certificates (Cert Transparency)
117.  
118. https://www.thesslstore.com/blog/ssl-precertificates/ - Certificates (Cert Transparency)
119.  
120. https://github.com/swisskyrepo/PayloadsAllTheThings
121.  
122. https://content-security-policy.com/
123.  
124. https://www.websecurity.digicert.com/en/ca/security-topics/how-does-ssl-handshake-work
125.  
126. https://www.jscape.com/blog/cipher-suites
127.  
128. https://owasp.org/www-project-top-ten/
129.  
130. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
131.  
132. https://www.securew2.com/blog/public-vs-private-certificate-authority
133.  
134. certificate-authority
135.  
136. https://pentesterlab.com/blog/jwt-vulnerabilities-attacks-guide
137.  
138. https://www.mitre.org/publications/systems-engineering-guide/enterprise-engineering/systems-engineering-for-mission-assurance/secure-code-review#:~:text=Definition%3A%20A%20secure%20code%20review,(flaws)%20in%20the%20code./
139.  
140. https://kinsta.com/blog/code-review-tools/
141.  
142. https://owasp.org/www-community/attacks/xss/
143.  
144. https://owasp.org/www-community/attacks/csrf
145.  
146. https://www.ssl2buy.com/wiki/symmetric-vs-asymmetric-encryption-what-are-differences#:~:text=Difference%20Between%20Symmetric%20and%20Asymmetric,and%20decrypt%20messages%20when%20communicating.
147.  
148. https://stackoverflow.com/questions/17954432/creating-a-daemon-in-linux
149.  
150. https://www.crowdstrike.com/cybersecurity-101/ntlm-windows-new-technology-lan-manager/
151.  
152. https://www.crowdstrike.com/cybersecurity-101/
153.  
154. http://www.netzmafia.de/skripten/unix/linux-daemon-howto.html
155.  
156. http://shahmirj.com/blog/beginners-guide-to-creating-a-daemon-in-linux
157.  
158. https://www.loggly.com/ultimate-guide/analyzing-linux-logs/
159.  
160. https://opensource.com/article/19/4/log-analysis-tools
161.  
162. https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/
163.  
164. https://doubleoctopus.com/blog/the-ultimate-guide-to-man-in-the-middle-mitm-attacks-and-how-to-prevent-them/
165.  
166. https://blog.securityinnovation.com/blog/2011/06/how-to-test-for-man-in-the-middle-vulnerabilities.html
167.  
168. https://www.softwaretestinghelp.com/networking-interview-questions-2/
169.  
170. https://www.beyondtrust.com/resources/glossary/systems-hardening
171.  
172. https://superuser.com/questions/1324629/does-an-identical-cryptographic-hash-or-checksum-for-two-files-mean-they-are-ide
173.  
174.  
175. https://doc.voluum.com/en/traffic_log_overview.html
176.  
177. https://www.geeksforgeeks.org/write-regular-expressions/
178.  
179. https://www.beyondtrust.com/blog/entry/vulnerability-remediation-5-steps-toward-building-effective-process
180.  
181. https://www.synopsys.com/glossary/what-is-threat-modeling.html
182.  
183. https://www.csoonline.com/article/3315700/what-is-application-security-a-process-and-tools-for-securing-software.html
184.  
185. https://www.guru99.com/tcp-3-way-handshake.html#:~:text=THREE%2DWAY%20HANDSHAKE%20or%20a,real%20data%20communication%20process%20starts.
186.  
187. https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/
188.  
189. https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/
190.  
191. https://www.sciencedirect.com/topics/computer-science/three-way-handshake#:~:text=TCP%20uses%20a%20three%2Dway,as%20shown%20in%20Figure%203.8.
192.  
193. https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/#:~:text=SYN%20flood%20attacks%20work%20by,process%20of%20a%20TCP%20connection.&text=The%20server%20then%20responds%20to,the%20packet%20from%20the%20server.
194.  
195. https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work/20847#20847
196.  
197. https://security.stackexchange.com/questions/5126/whats-the-difference-between-ssl-tls-and-https/5127#5127
198.  
199. https://security.stackexchange.com/questions/20803/how-does-ssl-tls-work/20851#20851
200.  
201. https://www.softwaresecured.com/what-do-sast-dast-iast-and-rasp-mean-to-developers/#:~:text=SAST%2C%20or%20Static%20Application%20Security,for%20more%20than%20a%20decade.&text=DAST%2C%20or%20Dynamic%20Application%20Security,running%20application%2C%20typically%20web%20apps.
202.  
203. https://handouts.secappdev.org/handouts/2017/Andrew%20Lee-Thorp/2017-03,%20SecAppDev,%20Threat%20Modeling%20Lab.pdf
204.  
205. https://security.stackexchange.com/questions/tagged/threat-modeling
206.  
207. https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html
208.  
209. https://study-ccna.com/arp/#:~:text=ARP%20(Address%20Resolution%20Protocol)%20is,device%20from%20an%20IP%20address.&text=All%20devices%20on%20a%20local,message%20containing%20its%20MAC%20address.
210.  
211. https://www.osibeyond.com/blog/digital-certificate/
212.  
213. https://www.cloudflare.com/learning/ddos/layer-3-ddos-attacks/
214.  
215. https://myknowpega.com/404.html#:~:text=Server%20side%20validation%20is%20mainly,side%20validation%20is%20very%20secure.
216.  
217. https://www.outsystems.com/blog/posts/asynchronous-vs-synchronous-programming/#:~:text=In%20synchronous%20operations%20tasks%20are,before%20the%20previous%20one%20finishes.
218.  
219. https://www.w3schools.com/whatis/whatis_ajax.asp
220.  
221. https://www.optiv.com/explore-optiv-insights/blog/tactics-techniques-and-procedures-ttps-within-cyber-threat-intelligence#:~:text=Tactics%2C%20techniques%20and%20procedures%20(TTPs,how%20threat%20actors%20perform%20attacks.
222.  
223. https://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch07_04.htm
224.  
225. https://www.hostinger.com/tutorials/ssh-tutorial-how-does-ssh-work
226.  
227. https://www.slashroot.in/secure-shell-how-does-ssh-work
228.  
229. https://en.wikipedia.org/wiki/Secure_Shell_Protocol
230.  
231. https://www.appviewx.com/education-center/what-are-ssh-keys/
232.  
233. https://wifibond.com/2017/04/08/802-11-association-process/
234.  
235. https://www.tutorialspoint.com/cryptography_with_python/cryptography_with_python_understanding_rsa_algorithm.htm
236.  
237. https://www.comparitech.com/blog/information-security/rsa-encryption/
238.  
239. https://www.isacybersecurity.com/elements-of-an-incident-response-plan/
240.  
241. https://www.sciencedirect.com/topics/computer-science/capture-network-traffic
242.  
243. https://en.wikipedia.org/wiki/Digital_signature
244.  
245. https://www.tutorialspoint.com/cryptography_with_python/cryptography_with_python_one_time_pad_cipher.htm
246.  
247. https://en.wikipedia.org/wiki/One-time_pad
248.  
249. https://crypto.stackexchange.com/questions/810/what-is-the-difference-between-a-stream-cipher-and-a-one-time-pad#:~:text=One%2Dtime%2Dpads%20are%20theoretical,time%2Dpads%20what%20they%20are.&text=The%20most%20important%20difference%20is,stream%20ciphers%20have%20computational%20secrecy.
250.  
251. https://stackoverflow.com/questions/10471009/how-does-the-man-in-the-middle-attack-work-in-diffie-hellman#:~:text=%22The%20Diffie%2DHellman%20key%20exchange,own%20public%20value%20to%20Bob.
252.  
253. https://www.varonis.com/blog/what-is-oauth/#:~:text=OAuth%20doesn't%20share%20password,without%20giving%20away%20your%20password.
254.  
255. https://www.jscape.com/blog/what-is-hmac-and-how-does-it-secure-file-transfers
256.  
257. https://www.guru99.com/tcp-vs-udp-understanding-the-difference.html#:~:text=TCP%20is%20a%20connection%2Doriented,UDP%20uses%20no%20handshake%20protocols
258.  
259. https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/general/ipsec_vpn_negotiations_c.html#:~:text=The%20main%20purpose%20of%20Phase,peers%20can%20negotiate%20Phase%202.&text=The%20purpose%20of%20Phase%202,encrypt%20and%20authenticate%20the%20traffic.
260.  
261. https://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7
262.  
263. https://www.cloudflare.com/learning/ssl/keyless-ssl/
264.  
265. https://en.wikipedia.org/wiki/HTTP_cookie
266.  
267. https://www.linkedin.com/posts/cybersecurity-news_complete-authentication-types-cyber-security-activity-6792150995611856896-qvLa
268.  
269. https://stackoverflow.com/questions/2100356/is-it-secure-to-store-passwords-in-cookies
270.  
271. https://github.com/OWASP/ASVS/raw/v4.0.2/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.2-en.pdf
272.  
273. https://www.coveros.com/application-security-review-process-a-case-study/#:~:text=The%20application%20security%20process%20covers,have%20their%20respective%20quality%20gates.
274.  
275. https://owasp.org/www-project-application-security-verification-standard/
276.  
277. https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
278.  
279. https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
280.  
281. https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
282.  
283. https://learn.isc2.org/d2l/home/8487
284.  
285. https://www.codecademy.com/articles/what-is-rest
286.  
287. https://www.redhat.com/en/topics/api/what-is-a-rest-api
288.  
289. https://www.guru99.com/comparison-between-web-services.html#:~:text=SOAP%20stands%20for%20Simple%20Object%20Access%20Protocol%20whereas%20REST%20stands,REST%20is%20an%20architectural%20pattern.&text=SOAP%20only%20works%20with%20XML,can%20make%20use%20of%20SOAP.
290.  
291. https://www.linkedin.com/posts/cybersecurity-news_complete-authentication-types-cyber-security-activity-6792150995611856896-qvLa
292.  
293. https://portswigger.net/web-security/ssrf ***
294.  
295. https://apisecurity.io/issue-56-common-jwt-attacks-owasp-api-security-top-10-cheatsheet/
296.  
297. https://cyberpolygon.com/materials/security-of-json-web-tokens-jwt/
298.  
299. https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#local-storage
300.  
301. https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html
302.  
303. https://www.youtube.com/watch?v=SvppXbpv-5k
304.  
305. https://www.youtube.com/watch?v=lLeKTVobxDM
306.  
307. https://en.wikipedia.org/wiki/SAML_2.0
308.  
309. https://martinfowler.com/articles/agile-threat-modelling.html
310.  
311. https://techgenix.com/understanding-man-in-the-middle-attacks-arp-part1/
312.  
313. https://snyk.io/learn/secure-sdlc/
314.  
315. https://crypto.stackexchange.com/questions/6523/what-is-the-difference-between-mac-and-hmac#:~:text=The%20term%20%22MAC%22%20can%20refer,MD5%20or%20SHA256)%20into%20MACs.
316.  
317. https://www.opensecurityarchitecture.org/cms/foundations/osa-taxonomy
318.  
319. http://examples.complianceforge.com/ComplianceForge%20Hierarchical%20Cybersecurity%20Governance%20Framework.pdf
320.  
321. https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties
322.  
323. https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/
324.  
325. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf
326.  
327. https://medium.com/@paul_io/attack-grams-137d99772d07
328.  
329. https://medium.com/@paul_io
330.  
331. https://aws.github.io/aws-eks-best-practices/security/docs/
332.  
333. https://dzone.com/articles/all-you-need-to-know-about-user-session-security
334.  
335. https://portswigger.net/web-security/all-materials
336.  
337. https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
338.  
339. https://github.com/OWASP/DevGuide
340.  
341. https://www.smashingmagazine.com/2017/04/secure-web-app-http-headers/
342.  
343. https://tonyarcieri.com/all-the-crypto-code-youve-ever-written-is-probably-broken
344.  
345. https://medium.com/hackernoon/10-common-security-gotchas-in-python-and-how-to-avoid-them-e19fbe265e03
346.  
347. https://medium.com/@dhanukaperera/csrf-with-synchronizer-token-pattern-a4af534d1764
348.  
349. https://www.audienceplay.com/blog/hashing-vs-encryption-vs-salting-vs-encoding/
350.  
351. https://portswigger.net/web-security/csrf
352.  
353.  
354. https://devopedia.org/secure-coding-with-python
355.  
356. https://py.checkio.org/blog/how-to-write-secure-code-in-python/
357.  
358. https://realpython.com/prevent-python-sql-injection/
359.  
360. https://pycharm-security.readthedocs.io/en/latest/checks/index.html
361.  
362. https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities/
363.  
364. https://github.com/security-prince/Application-Security-Engineer-Interview-Questions
365.  
366.  
367.  
368. Design Security
369. _____
370. https://www.teamblind.com/post/design-review-for-security-engineering-M7Sr8h78
371.  
372.  
373.  
374. Code Security
375. ____
376. https://www.interviewkickstart.com/companies/google-cyber-security-interview-prep
377. https://linuxconfig.org/how-to-parse-data-from-json-into-python
378. https://www.freecodecamp.org/learn/scientific-computing-with-python/
379. https://www.freecodecamp.org/learn/information-security/
380. https://www.interviewkickstart.com/blog/coding-interview-cheat-sheet
381. https://www.interviewkickstart.com/problems/palindrome-pairs
382. https://www.interviewkickstart.com/problems/unique-binary-search-trees
383. https://www.interviewkickstart.com/problems/palindrome-partitioning
384. https://www.interviewkickstart.com/problems/longest-substring-without-repeating-characters
385. https://www.tutorialspoint.com/cryptography_with_python/cryptography_with_python_caesar_cipher.htm
386. https://likegeeks.com/python-caesar-cipher/
387. https://www.delftstack.com/howto/python/python-log-parser/
388. https://www.searchenginejournal.com/python-analysis-server-log-files/412898/
389. https://leetcode.com/discuss/interview-question/system-design/128037/How-would-you-parse-a-huge-log-file
390. https://leetcode.com/discuss/interview-question/1856246/Maximum-Security-getEncryptedNumber
391. https://www.teamblind.com/post/Security-Engineer-Interview-Resources-Megathread-Fp1izvtL
392. https://devskiller.com/coding-tests-category/security/
393. https://www.edureka.co/blog/interview-questions/cybersecurity-interview-questions/
394. https://github.com/security-prince/Application-Security-Engineer-Interview-Questions
395. https://github.com/dylanaraps/pure-bash-bible
396. https://explainshell.com./
397. https://www.appsecsanta.com/sast-tools
398.  
399.  
400.  
401.  
402. AWS Culture
403. —-——
404. https://www.youtube.com/watch?v=HC2S7VKh2VY
405. https://www.youtube.com/watch?v=rei30obkaBc
406. https://www.youtube.com/watch?v=oam8FDNJhbE
407.  
408.  
409. LP
410. ________
411.  
412. https://www.youtube.com/watch?v=2HYBPKDZda0&t=1580s - meh
413.  
414. Use dan croissant or whatever his name is, great guy though
415.  
416. https://interviewgenie.com/blog-1/2018/12/11/how-to-answer-amazon-are-right-a-lot-leadership-principle-interview-questions
417.  
418. https://interviewsteps.com/blogs/news/amazon-leadership-principles-interview?page=2
419.  
420. https://leetcode.com/discuss/interview-question/437082/Amazon-Behavioral-questions-or-Leadership-Principles-or-LP
421.  
422. https://b-ok.cc/dl/3328693/72fad0
423.  
424. https://theinterviewguys.com/amazon-interview-questions/
425.  
426. https://www.nailyourjobinterview.com/deconstruct-amazon-virtual-onsite-loop-behavioral-questions/
427.  
428.  
429. https://www.teamblind.com/post/Amazon-LP-interview-questions-RiwtSu0o
430.  
431. https://managementconsulted.com/amazon-leadership-principles/
432.  
433. https://quizlet.com/279919521/amazon-2-flash-cards/#
434.  
435. https://www.glassdoor.ca/Interview/Amazon-Interview-Questions-E6036.htm
436.  
437. https://www.tryexponent.com/questions?company=amazon&type=behavioral&src=dashboard
438.  
439. —————————————————————
440.  
441. Interview Questions
442.     •         How is pad lock icon in browser generated?
443.     •         How does DNS works?
444.     •         Explain symmetric and asymmetric encryption?
445.     •         Applications of symmetric and asymmetric encryption?
446.     •         Name some cryptographic algorithms?
447.     •         What is SQL Injection?
448.     •         What is CSRF?
449.     •         What is Private Forward Secrecy?
450.     •         How would you detect malicious activity in Amazon ELB?
451.     •         How Amazon Guard Duty works?
452.     •         What is ciphersuite?
453.     •         Explain working of TLS?
454.     •         How is ciphersuite exchanged in TLS?
455.  
456.  
457. 1. Manual code review in either Java, C# or Python.
458. 2. Properties of TLS. What it supports. (Basically everything about it except for explaining the TLS handshake. Which was strange that the interviewer did not want that explaination)
459. 3. Manual threat model.
460. 4. API implementation and design.
461. 5. Authentication for APIs
462. 6. Implementing TLS
463. 7. Securing a SQL DB
464. 8. CSRF
465. 9. SQL Injection
466. 10. Cipher Suites
467. 11. Hashing vs Encryption
468.  
469.  
470. Leadership principals are very important. More than you think.
471. Jul 5, 2020
472.  
473. For the phone screen make sure the following things are clear:
474. 1. Appsec basics (owasp top 10)
475. 2. Pick a domain area such as crypto or networking or something and make sure that is really good
476. 3. They will give you a threat model so make sure you can enumerate the threats (follow STRIDE or STARLORD)
477. 4. Talk about any automation or tools or scripts you have written in your present role.
478.  
479. For the non-tech part, here is a good starting point to prepare for behavioural questions - https://d1c.io/blog
480.  
481. @WFwz66
482. Round 1-
483. This is a screener, interviewer was 25+ years experience, more than 10 in amazon
484.  
485. What happens when you type amazon.com,
486. you should be able to explain TCP handshake in detail , SYN flood and remediations were asked, ARP,DNS, DHCP, SSL handshake and SSL attacks (refer thomas pornin answer on stack exchange), etc as deep as possible.
487.  
488. SAST vs DAST
489.  
490. Explain SDLC - i explained threat modelling, shifting security left, security in CI/CD pipeline, etc
491.  
492. Round 2(Screener)
493.  
494. 1- situation you met a goal above and beyond - spoke about a tool i have written and got it deployed with hundreds of users per day
495. 2-taken a decision without higher up approval, risk taking
496.  
497. Scenario of mobile app , Web app and database
498. 2 controls each to protect each level
499.  
500. We did some detailed threat modelling here
501.  
502. After Round 2(Screener)- They scheduled 5 rounds all video conferencing in a single day
503.  
504. Final Round 1- Risk manager interviewing on Leadership principles - Failed this one
505.  
506. Somehow got stuck failing to find right examples for these questions.
507.  
508. When you had little data but yet had to deliver a project, how did you handle
509. Explain a use case where you found multiple issues in a product in a single review, how did you assign risk to the issues found
510. What risk frameworks do you use?
511.  
512. Final Round 2- This was a Bar Raiser Round by a Senior Security Engineer - This went quite well
513.  
514. How do you convince developers when they refuse to accept your security recommendations, how do you reach a common ground
515. Some more leadership questions
516.  
517. Final Round 3- Cloud Security basics and Network Security - I failed this one
518.  
519. Usually they start from Basic and Drill as far as possible
520. TCP/IP , UDP Differences in depth.Normal high level answers not enough.
521. TCP handshake, SYN /ACK Flood attack remediations , they might ask you further questions and challenge your answers.
522. You should be able to explain error detection and error corrections mechanisms etc for both. - I couldn’t remember these concepts in depth, this was the one that i failed at.
523.  
524. MAC address- ARP in detail and ip address
525. Detailed questions on DHCP, does static ip address require DHCP
526. DDOS attack and remediations- L3, L4,L7, refer https://www.cloudflare.com/learning/ddos/layer-3-ddos-attacks/
527. I explained how a CDN can absorb all the attacks before they reach target server.- Not sure if he was satisfied
528.  
529. Questions on Cloud Security:- IAM policy differnces, why is IAM better - probably was looking for knowledge on STS
530.  
531. Final Round 4 - Application Security - Aced this one
532. Most of OWASP Top 10 and remediations
533. couple of cases of threat modelling
534. 1- case of an email exchange server
535. 2- a simple chat app
536. Couple of leadership principles- Anything you have done innovative recently, how do you keep urself updated.
537.  
538. Final Round 5 - Hiring Manager - This one Went well
539.  
540. Leadership Questions:- When was the last time you were asked to submit a project under tight deadlines.How did you manage.
541. Suppose you have to attend to issue of CEO who got phished vs zero day in your product which is public.
542.  
543. Result:- 5 interviews happened on Friday, they gave result on Monday Evening,quite fast
544. Overall Positive but since i couldn’t clear Network Security competency , i was not selected.
545.  
546.  
547.  
548. What is the difference between client-side and server-side input validation and what is each used for?
What is XSS?
549.  
550. What are asynchronous requests and when does it make sense to use them? What is AJAX? What is the testing process you use for your UI code? Unit testing? Integration testing?

551.  
552.  
553. Describe the last program or script that you wrote. What problem did it solve?

554.  
555. What happens when I type ssh for hostA & hostB
556.  
557. What happens when I type amazon in the browser
558.  
559.  
560.  
561. Threat modelling – what is it? Why is it important?
562.  
563. Are you familiar with any of the more common techniques for threat modeling? What are they?
564.  
565. What is XSS?
566.  
567. What is SQL injection?

568. What is cross-site request forgery?
569.  
570. Give me your personal definition of cryptography

571. Differentiate encryption and signing.
572.  
573. Difference asymmetric and symmetric cryptography.
574. Pros/Cons of asymmetric/symmetric 

575. PKI
576.  
577. SSO; OpenID, SAML, OAuth
578.  
579.  
580. ——————
581.  
582.  
583. Top 10 OWASP vulnerabilities
584. Threat
585. Risk
586. Remediation
587.  
588. Explain OWSAP Top 10 and VPN connection
589.  
590. Technical:
591. Hashing vs. Encryption?
592. Symmetric vs Asymmetric? Examples of each?
593. OWASP Top 10 and how to prevent them
594. Hashing scenario problem
595. Authentication scenario problem
596. Session management scenario problem (CSRF)
597. Certificate Authority
598. DNS
599. Recent hacks/news around cybersecurity
600.  
601. Behavioral:
602. Why Amazon?
603. Tell me about a goal and the steps you took the accomplish
604. Tell me about a time you went through a personal obstacle or challenge
605. Tell me about your favorite project
606. Tell me about a time when you took on something you weren’t required to do
607.  
608.  
609. - In my case it was more about coding, code review and situational questions.
610.  
611.  
612.  
613. It was good I think, they do not ask traditional questions, they gave me a situation and asked my approach. First interview successful for me, second interview a little bit difficult I think. I had a task to complete in an hour.
614.  
615. What do you do, the incident reported firefox version was infected by malware.
616.  
617. What is XSS vulnerability?
618. What is SQL Injection vulnerability?
619. What is CSRF vulnerability?
620. Difference between symmetric and asymmetric key?
621. More 3-4 similar questions
622.  
623. I was contacted by a recruiter.
624. We've quickly arranged a phone interview. It lasted one hour, the interviewer was very pleasant. The questions were mainly about network security, what happens when you type in "amazon.com", intercepting traffic, TLS, Unix and access rights. One question was behavioural, one of the classic questions you can find on the Internet.
625. No one got back to me for several days. After a reminder, I was told I've passed, so we've arranged another interview. The second interview went for 2 hours, one-hour behavioural, one-hour technical task. Technical had three parts to it: writing a daemon for a task, analyzing a network dump and parsing a log file. The tasks are fairly easy, but time-consuming if you don't do them on a daily basis.
626. Got a rejection email in a few days. I've asked two small follow-up questions - no one cared to respond to this day, even after a reminder.
627. I wasn't asked a single question about web security or SDLC for an Application Security position, which I find very surprising.
628. In general, the aftertaste is that people are uninterested and arrogant, apart from the first phone interview which was nice and friendly. Technical tasks and questions are okay for a knowledgeable person.
629.  
630.  
631. How to intercept traffic between a victim and a webserver?
632.  
633. Security fundamental questions: OWASP top10, crypto algorithms, network protocols, one project in detail from your resume (I explained password cracker)
634. Penetration testing,
635. log monitoring,
636. server security hardening questions (all were scenario-based)
637. previous experience and projects
638.  
639.  
640. First round was a phone interview with an AWS Security Engineer. It lasted an hour and covered network protocols, TLS/UDP, DNS etc and also threat modelling scenario.
641.  
642. I found out the next day that I had moved onto the next round (the Amazon loop) this was with 5 Amazon employees across software engineering and security teams, 1 was the hiring manager. Each round focused on behavioural questions (Amazon Leadership Principles) and technical questions. The technical questions covered usual network security questions, code review and threat modelling.
643.  
644. I felt a bit out of depth in some areas, but 4/5 people I interviewed with were patient and taught me something new which I appreciated. There was 1 engineer that kept interrupting me and it felt more like an interrogation than an interview at one point but maybe I just wasn’t staying inline with what they were asking.
645.  
646. Overall, even though I wasn’t successful I got some great advice and guidance from the interviewers. It’s a long day of interviewing (5 hours) so it’s good to get something out of it at least.
647.  
648. In depth scenario about how I might find evidence of malicious activity within the AWS EBS service. Interviewer used almost the whole hour to dig in on this.
649.  
650. Can two files generate same checksum?
651.  
652. What would you use to order a log of traffic by date?
653.  
654. Basic questions: what is encryption, how does authentication work, describe Unix fundamentals, how does Hashing work, describe how a for loop works.
655.  
656. Recruiter contacted me first, and scheduled a technical phone interview. The phone interview was about an hour, with a coding/scripting question (~ 20 mins) and some general questions about my experience/skills based on the resume. (~ 30 mins)
657. I didn't pass the phone interview but I already had an offer from another company.
658.  
659. a simple coding/scripting question (language of your choice)
660. general questions about my experience/skills based on the resume
661. didn't have the 14 principle questions
662.  
663. Do you have experience in writing REGEX?
664.  
665. Take us through a process in which you found a security vulnerability in a product and "owned" the remediation of the vulnerability end to end. (asked 5+ times)
666.  
667. Two rounds of face-to-face interview.
668. First round was technical. Basic cryptography, privacy, OS sec, Pentesting,security tools, projects, certifications, experience etc.
669. Second was leadership and behavioral round (based on Amazon's 14 leadership principles).
670.  
671. Scenario based questions. "How would you exploit a system with these protections applied?"
672.  
673.  
674.  
675. The interview process started with an engineer asking about previous experience and few technical questions. Second interview was related to threat modelling- something that I had never done in real life. I was never given any context about what kind of question is going to be on the interview. I was told that this was for an entry level position and I was surprised that the interviewer expected me to be on same level as him (He had ~10 years of experience)
676.  
677.  
678. I didn't feel bad about failing the interview because it felt like they didn't have clear idea about the responsibilities of the position. And the process didn't feel humane at all.
679.  
680. My advice would be to know your candidates background before interviewing. Interviewers should know what level of knowledge is expected for a particular position. Time is important.
681.  
682.  
683. After initial phone calls and emails with the recruiting coordinator, I had two 1-hour technical phone interviews before going in for a day of 5 in-person interviews. Unfortunately, one of the interviewers could not call in that day so I had to wait and do another 1-hour phone interview 3 days later. The interviews consisted of both in-depth technical questions and situational/behavioral questions. The interviewers came from both the group I was trying to join and other groups who didn't know what that group did.
684.  
685.  
686. Interview
687. Received random interviews which mostly didn't relate to the position that I was being interviewed. Talked to managers about some targeted pdf attack that they received and how I would defend against it if the opportunity cost was infinite dollars for the attack.
688.  
689. At one point I was abandoned in a break/lunch room for an hour for me to entertain myself with my phone. Someone found me eventually.
690.  
691.  
692. They wanted to know about my ideas about digital currency and how I, without any recon or knowledge of Amazon infrastructure, would hack them.
693.  
694. I contacted AWS after reading an ad I'd seen on LinkedIn. The HR person called to set up the first phone screen interview and provided various documents including a consent for criminal records check and a statement of the Amazon values. These, I learned, are the cult truths that must be internalized by all new devotees.
695.  
696. First telephone screen was technical and would be conducted by a senior engineer and took an hour. I should confess I knew little about AWS so I was a little wrong-footed because they opened with questions about their business offering. Then it got onto tech questions "How would you do X?", "Explain what happens (in as much detail as possible) when a user does Y?" and so on. Since this was a security screen there were basic crypto and similar questions. I found that enjoyable and my interviewer told me I'd definitely be going forward. It took two weeks before I heard from HR and it was another phone screen - this time with a manager.
697.  
698. The second phone screen also asked some technical questions but the focus was different and considered me as a person and y work history. This was also scheduled to take an hour. I got a chance to explain my experience and to listen to some of the corporate speil. It is clear that internalizing the Amazon values is core to acceptance. Again a positive verbal feedback and another two week wait.
699.  
700. Next up was the face-to-face meetings and they lined up five one-hour interviews with various senior people. For this they flew me interstate. Each interview had a different focus and they were largely enjoyable and interesting. I got to ask questions but a combination of time constraints and not wanting to appear picky meant I didn't get to ask enough questions to satisfy myself as to what I'd actually do. I got a clear impression that they equate hours with effort and that work/life balance is tilted in favor of work. They also did not meet my interview expenses (I'd incurred about 100$ for taxis etc.) and I thought that a bit cheap. I also was left in no doubt that on-calls will feature heavily and travel to Seattle will happen reasonably often. Another two weeks before the offer materialized.
701. Interview Questions
702.     •         I had no troubles with any of the tech questions but I defintiely got one wrong (altho I hinted it was more of a guess than knowledge) and couldn't answer another. The most difficult were business questions as they have fewer obviously correct answers.
703.  
704. * Use ressource such as The Web Application Hacker handbook
705. * Review all the OWASP classes of security bugs and make sure you are able to explain by heart each notion
706. Train yourself to be positive
707. Make your you performed at least all LC easy and many LC medium.
708.  
709.  
710.  
711.  
712.  
713.  
714.