Application Security Interview Questions
Practice application security topics including the OWASP Top 10, cryptography fundamentals, OAuth2/OIDC, JWT pitfalls, secrets management, and threat modeling.
Frequently Asked Questions
What security topics should I expect in a software engineering interview?
Most teams test the OWASP Top 10 (broken access control, injection, XSS, SSRF, IDOR), cryptography basics (symmetric vs asymmetric, hashing vs HMAC, TLS), session and cookie security (HttpOnly, Secure, SameSite), OAuth 2.0 / OIDC flow selection, JWT pitfalls (alg=none, alg-confusion, revocation), and secrets management. Senior roles add threat modeling (STRIDE), supply-chain hygiene, and zero-trust architecture.
Do I need a security background to pass these questions?
No - most interviewers want to see that you can build secure software, not that you can pop shells. Knowing why parameterized queries beat input sanitization, why HMAC beats raw hashing for signatures, and why authorization belongs at the data layer is enough for the vast majority of generalist roles. Dedicated security engineering roles go deeper into exploit development and architecture review.
How is application security different from network or infrastructure security?
AppSec focuses on flaws in code: how requests are parsed, how data is stored, how identity is verified, how access is authorized, and how outputs are encoded. Network/infra security covers segmentation, firewalls, IDS/IPS, and host hardening. The Venn overlaps at things like TLS configuration and secrets management. Most engineering interviews emphasize AppSec because that's where the bugs you'll write live.
What's the difference between authentication and authorization?
Authentication answers 'who are you?' (passwords, MFA, OIDC tokens, mTLS). Authorization answers 'are you allowed to do this?' (RBAC, ABAC, ownership checks, policy engines like OPA/Cedar). The OWASP Top 10's #1 (Broken Access Control) is overwhelmingly authorization bugs - missing per-object checks (IDOR), overprivileged roles, and authorization done at the UI layer instead of the data layer.
What is threat modeling and when should I do it?
Threat modeling is structured analysis of what could go wrong with a system before you ship it. STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege) over a data-flow diagram is the most common framework. Do it during design for any feature touching auth, money, PII, or external trust boundaries - it's far cheaper than fixing the same bugs after launch.
How do I store passwords correctly in 2026?
Use a memory-hard KDF: Argon2id (OWASP-recommended) with per-user salt and tuned cost so a single hash takes ~250-500ms on your hardware. bcrypt and scrypt are acceptable legacy options. Never use plain SHA-256/SHA-512 (too fast, GPU-friendly), never use encryption (wrong primitive - you don't need to recover the password), and consider a server-side pepper as defense-in-depth if the DB leaks alone.