What different types of XSS are there? How are they exploited? How would you remediate them?
Also answer the above 3 questions for SQL injection and Cross site request forgery.
What type of vulnerabilities are hard to detect with automated scanners? How would you manually test these vulnerabilities?
It would be difficult to BS your way through an appsec interview unless the person interviewing you is clueless, or they are willing to take on somebody with little experience.
Not trying to be rude, just a warning. The interviewer can really ask anything as the range of knowledge you have to have is quite extensive.
I don't know how much time you have but I would recommend "The Web Application Hackers Handbook." It is very in depth.
Answer from user3632719 on Stack ExchangeTib3rius
tib3rius.com › interview-questions.html
Web AppSec Interview Questions | Tib3rius
Note that the answers aren’t necessarily complete, they are just how I would answer the question. ... Web Cache Deception involves finding some dynamic page which you can access via a URL a web cache will automatically cache (e.g. if /transactions can be accessed at /transactions.jpg). If an attacker can trick a victim into visiting the cacheable URL, they can then load the same URL and retrieve the victim's information from the cache. Web Cache Poisoning involves finding an input which results in some exploitable change in the response, but doesn't form part of the cache key for the request.
Black Duck
blackduck.com › blog › web-appsec-interview-questions.html
Web AppSec Interview Questions Every Company Should Ask | Black Duck Blog
June 18, 2019 - Now is the time to ask some OWASP Top 10 questions to test your candidate’s knowledge of common web-based attacks. Attacks include SQL injection, XSS (cross-site scripting), CSRF (cross-site request forgery), directory traversal, LDAP/XML/command injection, clickjacking, remote file inclusion, remote code execution, buffer/integer/heap overflows, and so on. You could formulate hundreds of specific web AppSec questions.
career - AppSec interview questions? - Information Security Stack Exchange
I am preparing for a technical interview for an AppSec pen-testing position. For those of you that have had AppSec positions, what sharp-shooter questions do you think I can expect? What questions More on security.stackexchange.com
What to expect in an interview for Application Security Manager?
They’re probably going to ask strategy related questions. Not sure if you’ve heard of SAMM/BSIMM or ASVS but those frameworks would probably get bells ringing for general strategy. I suspect they’d also ask how you’d measure success with some intention of leveraging KPIs or KRIs. Might be worthwhile to try and sketch out ideas on those measurements. If you’re not a CNA maybe get that queued for CVE publications. Just my .02. Not an AppSec manager but have done a lot of work in relation to those components and handed that off to a director to manage. More on reddit.com
5
8
June 22, 2025Application Security Engineer Interview !
study code vulns beyond the OWASP 10, especially in JS/TS. understand how SAST works, and how to remediate vulns using the results understand how to kick off a security review process for new features being introduced to the codebase re: 2 & 3 above, understand how to collaborate cross-functionally with frontend, backend, product, and platform engineering orgs i saw you mention that SCA and CI/CD is not essential...this is completely false. if you don't understand how integration/smoke tests work, how to patch SBOM vulns without breaking prod, or understand where exactly vulns stem from (when they're not blindingly obvious SQLi or IDOR vulns), you won't make it. More on reddit.com
11
31
September 28, 2025Final Amazon Application Security Engineer Interview ...
Videos
17:50
Application Security Penetration Testing Interview Questions - YouTube
34:33
Application Security Interview Questions And Answers | Part 1 | ...
10:54
Application Security Interview Questions - OWASP Top 10, SDLC & ...
Cybersecurity Behavioral Interview Questions and Answers ...
36:56
Every Cybersecurity Interview Question and Answer in 35 minutes ...
Top 10 Application Security Interview Questions with Answers ...
Appsecengineer
appsecengineer.com › blog › application-security-engineer-interview-questions
Application Security Engineer Interview Questions
April 15, 2025 - A curated list of frequently asked Interview Questions for Security Engineers.
GitHub
github.com › jassics › security-interview-questions › blob › main › application-security-interview-questions.md
security-interview-questions/application-security-interview-questions.md at main · jassics/security-interview-questions
Security interview questions with possible explanation for roles in AppSec, Pentesting, Cloud Security, DevSecOps, Network Security and so on - jassics/security-interview-questions
Author jassics
Indeed
indeed.com › career guide › interviewing › 40 application security interview questions (with examples)
40 Application Security Interview Questions (With Examples) | Indeed.com
December 12, 2025 - Make sure to have a question or two prepared before the interview to gain insightful information about the role you're applying for and show the interviewer your desire to be a part of the team.Example: "Yes! I would love to know more about Web Security's team of coders and what their daily assignments are like."
Webappsec
webappsec.org › documents › web_security_interview_question.shtml
Web Security Interview Questions - Web Application Security Consortium
Web Security Interview Questions [DOC] By Ryan Barnett The goal of this document is to provide appropriate questions for HR/Managers to pose to individuals who are applying for web security related positions. These questions do not have right or wrong answers, but rather spark relevant conversation ...
Startup Jobs
startup.jobs › interview questions › engineering › application security engineer
Application Security Engineer Interview Questions
Answer Example: "I’d define high-risk triggers (new auth flows, external integrations, sensitive data) and use a one-page template embedded in the design doc/PR. Reviews would be async by default with a 24-hour SLA, and CODEOWNERS would auto-request AppSec for triggered changes.
Top answer 1 of 3
1
What different types of XSS are there? How are they exploited? How would you remediate them?
Also answer the above 3 questions for SQL injection and Cross site request forgery.
What type of vulnerabilities are hard to detect with automated scanners? How would you manually test these vulnerabilities?
It would be difficult to BS your way through an appsec interview unless the person interviewing you is clueless, or they are willing to take on somebody with little experience.
Not trying to be rude, just a warning. The interviewer can really ask anything as the range of knowledge you have to have is quite extensive.
I don't know how much time you have but I would recommend "The Web Application Hackers Handbook." It is very in depth.
2 of 3
3
- What are some strategies to detect and prevent vulnerabilities introduced by third party libraries?
- How would you demonstrate to a customer why it is important to fix reflective cross-site scripting flaws?
- How would you demonstrate to a customer why MD5 is not appropriate algorithm to use when hashing passwords?
- What scripts or tools have you written to assist you in pen-testing applications?
- How would you advise a customer to fix a CSRF issue that you found?
- How would you get around a web application firewall that is blocking your attacks against a vulnerable application?
- Your customer hasn't noticed any of your intrusion attempts. What would you advise?
GitHub
github.com › security-prince › Application-Security-Engineer-Interview-Questions
GitHub - security-prince/Application-Security-Engineer-Interview-Questions: Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer · GitHub
Some of the questions which i was asked when i was giving interviews for Application/Product Security roles. I am sure this is not an exhaustive list but i felt these questions were important to be asked and some were challenging to answer - security-prince/Application-Security-Engineer-In...
Starred by 681 users
Forked by 109 users
Glassdoor
glassdoor.com › Interview › application-security-interview-questions-SRCH_KO0,20.htm
Application security Interview Questions | Glassdoor
In the process, I managed to confuse the person asking the question by giving obscure examples. ... Do you know what a threat model is? Tell me about it. ... Do you know what a threat model is? Tell me about it. ... Penetration TesterSecurity ConsultantInformation Security SpecialistInformation Security ManagerCyber Security AnalystSecurity Operations Center AnalystSoftware Security EngineerInformation Security ArchitectInformation Assurance EngineerSenior Security Analyst · Glassdoor has 461 interview questions and reports from Application security interviews.
Flexmind
flexmind.co › home › cybersecurity › 60+ practical application security interview questions
Top 60+ Practical Application Security Interview Questions
August 13, 2024 - This interview question set is mostly for defensive roles as compared to offensive roles which are mainly called “Penetration Testing or Web Security (sometimes it’s used interchangeably) ”. I will concentrate more on how an application is developed, maintained, and deployed and how as a security engineer you would help an engineering team to overcome security challenges.
GitHub
github.com › kh4sh3i › Application-Security-Interview-Questions
GitHub - kh4sh3i/Application-Security-Interview-Questions: Here are some common interview questions for an application security position you can review for your own interview, along with example answers · GitHub
https://security.stackexchange.com/questions/157061/how-does-csrf-correlate-with-same-origin-policy · In short SOP only prevents reading data which was served from a different origin. It does not cover cross-domain form submissions which are used to carry out a CSRF attack. Exploiting SSRF attacks · https://portswigger.net/web-security/ssrf · https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF · https://blog.appsecco.com/an-ssrf-privileged-aws-keys-and-the-capital-one-breach-4c3c2cded3af ·
Starred by 31 users
Forked by 9 users
Adaface
adaface.com › home › adaface | free interview questions & answers › 101 appsec engineer interview questions
101 AppSec Engineer Interview Questions
September 9, 2024 - Application Security Engineer interview questions for experienced · 1. How do you stay updated with the latest application security threats and vulnerabilities? 2. Describe a time you had to convince a development team to prioritize a security fix.
Reddit
reddit.com › r/cybersecurity › what to expect in an interview for application security manager?
r/cybersecurity on Reddit: What to expect in an interview for Application Security Manager?
June 22, 2025 -
I am a senior appsec engineer and have worked around sast, dast, threat modeling etc. Because I also have extensive penetration testing experience, I am very well aware of owasp top 10, cloud and network security.
I somehow got selected for final application security manager interview with technical director and I am scared. My current role is senior appsec engineer but I have never managed a team in appsec. What should I expect in the interview because I assume it will be more non-technical. Or am I not ready for this role?
Top answer 1 of 5
6
They’re probably going to ask strategy related questions. Not sure if you’ve heard of SAMM/BSIMM or ASVS but those frameworks would probably get bells ringing for general strategy. I suspect they’d also ask how you’d measure success with some intention of leveraging KPIs or KRIs. Might be worthwhile to try and sketch out ideas on those measurements. If you’re not a CNA maybe get that queued for CVE publications. Just my .02. Not an AppSec manager but have done a lot of work in relation to those components and handed that off to a director to manage.
2 of 5
5
You likely know the technical parts down. Really its more soft stuff you should prepare for. "Tell us how you would work with app teams?" "What metrics would you look at to manage an app sec team" "How do you coach low performers?" "Describe a time you have had to influence others to have better security outcomes?" Etc
Syed Huda
smhuda.com › blog › appsec-interview-prep
Application Security Interview Questions - Part 1 — Syed Huda
May 22, 2021 - This post contains a collated list of commonly asked technical questions on interviews for Application Security roles that can aid in preparation.
Medium
medium.com › @kaushikepari4 › top-60-interview-preparation-question-for-application-security-2024-004c9e818c86
Top 60+ Interview Preparation question for Application Security 2024 | by Kaushik Epari | Medium
September 25, 2024 - They reflect current trends, ... set of questions for advanced-level candidates. What are the common attack vectors in modern web applications, and how do you mitigate them?...
GitHub
github.com › aershov24 › web-security-interview-questions
GitHub - aershov24/web-security-interview-questions: 🔴 Web Security Interview Questions and Answered to prepare for your next Web Developer interview
🔴 Web Security Interview Questions and Answered to prepare for your next Web Developer interview - aershov24/web-security-interview-questions
Starred by 70 users
Forked by 23 users
Software Testing Help
softwaretestinghelp.com › home › interview questions and answers › top 30 security testing interview questions and answers
Top 30 Security Testing Interview Questions and Answers
April 1, 2025 - List of Most Frequently Asked Security testing Interview Questions with detailed Answers: What is Security Testing? Security testing is a process intended to reveal flaws in the security mechanisms of an information system that protect data and maintain functionality as intended. Security testing is the most important type of testing… · Top 4 Open Source Security Testing Tools to Test Web Application
Zenzap
zenzap.co › blog-posts › 12-crucial-application-security-engineer-interview-questions
12 Crucial application security engineer interview questions - Zenzap
The OWASP Top Ten is a standard awareness document for developers and web application security. Candidates should be able to explain its importance and how they have used it to guide security practices in their previous roles. This question evaluates problem-solving skills and practical experience.