|
| 1 | + |
| 2 | +### **I. Introduction to DevSecOps Philosophy & Fundamentals (5 Questions)** |
| 3 | + |
| 4 | +1. **What is DevSecOps, and how does it fundamentally differ from traditional DevOps?** |
| 5 | + * **What to listen for:** A clear explanation that DevSecOps is the integration of security as a shared responsibility throughout the entire software development lifecycle (SDLC), not a separate phase at the end. The candidate should mention "shifting left," automation, and culture. |
| 6 | + * **Read:** [What is DevSecOps? (IBM)](https://www.ibm.com/think/topics/devsecops) & [DevSecOps vs. DevOps (Microsoft)](https://www.microsoft.com/en-us/security/business/security-101/what-is-devsecops) |
| 7 | + |
| 8 | +2. **Explain the "Shift-Left" security principle. Why is it a cornerstone of DevSecOps?** |
| 9 | + * **What to listen for:** Addressing security earlier in the SDLC (e.g., during design and coding) is cheaper, faster, and more effective than finding vulnerabilities in production. They should discuss threat modeling, SAST, and developer education. |
| 10 | + * **Read:** [Shift Left Security in DevSecOps (Practical DevSecOps)](https://www.practical-devsecops.com/what-is-shift-left-security-in-devsecops/) (Implied from ) & [Top 10 DevSecOps Best Practices (Check Point)](https://www.checkpoint.com/cyber-hub/cloud-security/devsecops/10-devsecops-best-practices/) |
| 11 | + |
| 12 | +3. **What are the key cultural changes required for a successful DevSecOps transformation?** |
| 13 | + * **What to listen for:** Breaking down silos, making security a shared responsibility (not just the security team's job), fostering collaboration between Dev, Sec, and Ops, and creating a blameless culture focused on continuous improvement. |
| 14 | + * **Read:** [DevSecOps Best Practices (Wiz.io)](https://www.wiz.io/academy/devsecops-best-practices) & [What is DevSecOps? (IBM)](https://www.ibm.com/think/topics/devsecops) |
| 15 | + |
| 16 | +4. **How do you measure the success and ROI of a DevSecOps program?** |
| 17 | + * **What to listen for:** Metrics like Mean Time to Remediate (MTTR) vulnerabilities, deployment frequency with security checks, reduction in critical vulnerabilities found in production, and compliance rate. |
| 18 | + * **Read:** [Top 10 DevSecOps Interview Questions (Medium)](https://mihirpopat.medium.com/top-10-devsecops-interview-questions-and-answers-to-help-you-land-the-job-7d5d1ebb90ec) |
| 19 | + |
| 20 | +5. **Describe the role of automation in DevSecOps. What are some key security tasks that must be automated?** |
| 21 | + * **What to listen for:** Automation is essential for scale and speed. Key areas include security testing (SAST, DAST, SCA), compliance scanning, infrastructure security checks, and incident response playbooks. |
| 22 | + * **Read:** [How to implement DevSecOps (Microsoft)](https://www.microsoft.com/en-us/security/business/security-101/what-is-devsecops) & [DevSecOps Best Practices (Wiz.io)](https://www.wiz.io/academy/devsecops-best-practices) |
| 23 | + |
| 24 | +--- |
| 25 | + |
| 26 | +### **II. Kubernetes Security (6 Questions)** |
| 27 | + |
| 28 | +6. **Explain the four pillars of Kubernetes security (API Server, Pods, Nodes, Cluster).** |
| 29 | + * **What to listen for:** Securing the API server (TLS, authz), Pod security (non-root users, read-only roots, Pod Security Standards), Node hardening (minimal OS), and Cluster-wide policies (network policies). |
| 30 | + * **Read:** [Kubernetes Security 101 (Practical DevSecOps E-book)](https://www.practical-devsecops.com/e-books/) |
| 31 | + |
| 32 | +7. **What are Kubernetes Pod Security Standards (PSS)? Differentiate between "Baseline" and "Restricted" policies.** |
| 33 | + * **What to listen for:** PSS are replacement for Pod Security Policies (PSP). Baseline prevents known privilege escalations; Restricted is a strongly hardened subset. |
| 34 | + * **Read:** [Official Kubernetes Documentation on PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards/) (Not in results, but essential) |
| 35 | + |
| 36 | +8. **How do you implement Network Policies to enforce least privilege communication between microservices?** |
| 37 | + * **What to listen for:** Using `NetworkPolicy` resources to allow ingress/egress traffic only to/from specific pods based on labels, namespaces, or CIDR blocks. They should mention a default-deny strategy. |
| 38 | + * **Read:** [Threat Modeling for Kubernetes (Spectral)](https://spectralops.io/blog/6-threat-modeling-examples-for-devsecops/) |
| 39 | + |
| 40 | +9. **Describe the importance of Service Accounts and how to secure them.** |
| 41 | + * **What to listen for:** Pods use Service Accounts to authenticate to the API Server. They should discuss avoiding default SA, binding SAs to minimal RBAC roles, and not automounting SA tokens unnecessarily. |
| 42 | + * **Read:** [Kubernetes Security 101 (Practical DevSecOps E-book)](https://www.practical-devsecops.com/e-books/) |
| 43 | + |
| 44 | +10. **What tools would you use to scan a Kubernetes cluster for misconfigurations and vulnerabilities?** |
| 45 | + * **What to listen for:** Mention of open-source tools like `kube-bench` (CIS benchmarks), `kube-hunter` (pen-testing), `trivy` (vulnerability scanning), or commercial platforms. |
| 46 | + * **Read:** [Container Security Best Practices (Check Point)](https://www.checkpoint.com/cyber-hub/cloud-security/devsecops/10-devsecops-best-practices/) |
| 47 | + |
| 48 | +11. **How does a Secret Management solution (e.g., Vault, Sealed Secrets) integrate with Kubernetes?** |
| 49 | + * **What to listen for:** Moving away from native Kubernetes Secrets (stored as base64 in etcd). Using tools like HashiCorp Vault with injector sidecars or external secrets operator to manage secrets dynamically. |
| 50 | + * **Read:** [Handling secrets management (Medium Interview Questions)](https://mihirpopat.medium.com/top-10-devsecops-interview-questions-and-answers-to-help-you-land-the-job-7d5d1ebb90ec) |
| 51 | + |
| 52 | +--- |
| 53 | + |
| 54 | +### **III. Docker & Container Security (6 Questions)** |
| 55 | + |
| 56 | +12. **What are the key best practices for writing a secure Dockerfile?** |
| 57 | + * **What to listen for:** Using minimal base images (e.g., `alpine`), running as non-root user, keeping images updated, using multi-stage builds to reduce attack surface, and not storing secrets in layers. |
| 58 | + * **Read:** [Container Security Best Practices (Check Point)](https://www.checkpoint.com/cyber-hub/cloud-security/devsecops/10-devsecops-best-practices/) |
| 59 | + |
| 60 | +13. **How do you ensure container images are free from known vulnerabilities before deployment?** |
| 61 | + * **What to listen for:** Integrating static vulnerability scanning (e.g., Trivy, Grype, Snyk) directly into the CI/CD pipeline to scan images on every build and fail the build on critical CVEs. |
| 62 | + * **Read:** [Automate Security Testing (Wiz.io)](https://www.wiz.io/academy/devsecops-best-practices) |
| 63 | + |
| 64 | +14. **Explain the concept of a distroless container image. What are its security benefits?** |
| 65 | + * **What to listen for:** Distroless images contain only the application and its runtime dependencies, no shell, package manager, or other OS utilities. This drastically reduces the attack surface and blast radius. |
| 66 | + * **Read:** [Google's "Distroless" Container Images Documentation](https://github.com/GoogleContainerTools/distroless) (Not in results, but essential) |
| 67 | + |
| 68 | +15. **What are the security implications of container runtime privileges (e.g., `--privileged`, `cap-add`)?** |
| 69 | + * **What to listen for:** `--privileged` grants all capabilities and lifts security restrictions. Capabilities like `NET_RAW` or `SYS_ADMIN` are dangerous. The principle of least privilege should be applied. |
| 70 | + * **Read:** [Docker Security Documentation](https://docs.docker.com/engine/security/) (Not in results, but essential) |
| 71 | + |
| 72 | +16. **How do you enforce security policies at container runtime?** |
| 73 | + * **What to listen for:** Using tools like Open Policy Agent (OPA) with its container-focused project, Gatekeeper, to enforce policies (e.g., "all images must come from a trusted registry," "containers cannot run as root"). |
| 74 | + * **Read:** [Threat Modeling for Kubernetes (Spectral)](https://spectralops.io/blog/6-threat-modeling-examples-for-devsecops/) |
| 75 | + |
| 76 | +17. **Describe the shared kernel security model of containers and its risks.** |
| 77 | + * **What to listen for:** All containers on a host share the same OS kernel. A vulnerability in the kernel or a container breakout exploit can compromise the entire host and all other containers. |
| 78 | + * **Read:** [Container Security 101 (Practical DevSecOps E-book)](https://www.practical-devsecops.com/e-books/) |
| 79 | + |
| 80 | +--- |
| 81 | + |
| 82 | +### **IV. Microservices & API Security (6 Questions)** |
| 83 | + |
| 84 | +18. **What are the primary security challenges in a microservices architecture compared to a monolith?** |
| 85 | + * **What to listen for:** Expanded attack surface, complex service-to-service authentication and authorization, securing API gateways, network security, and consistent security policy enforcement across all services. |
| 86 | + * **Read:** [API Security Fundamentals (Practical DevSecOps E-book)](https://www.practical-devsecops.com/e-books/) |
| 87 | + |
| 88 | +19. **Compare and contrast security considerations for REST, SOAP, and gRPC APIs.** |
| 89 | + * **What to listen for:** REST (HTTPS/TLS, JSON validation, OAuth2), SOAP (WS-Security, XML encryption), gRPC (TLS for encryption, authz tokens in metadata, interceptors). |
| 90 | + * **Read:** [API Security Fundamentals (Practical DevSecOps E-book)](https://www.practical-devsecops.com/e-books/) |
| 91 | + |
| 92 | +20. **How does a service mesh (e.g., Istio, Linkerd) enhance security in a microservices environment?** |
| 93 | + * **What to listen for:** It provides automatic mTLS for service-to-service communication, enforces access control policies, offers observability for traffic flows, and helps implement zero-trust networking. |
| 94 | + * **Read:** [Threat Modeling for Modern Environments (Spectral)](https://spectralops.io/blog/6-threat-modeling-examples-for-devsecops/) |
| 95 | + |
| 96 | +21. **What is the difference between authentication and authorization in the context of APIs?** |
| 97 | + * **What to listen for:** Authentication (AuthN) is verifying identity (e.g., via JWT tokens, API keys). Authorization (AuthZ) is verifying permissions to perform an action (e.g., via OAuth2 scopes, RBAC). |
| 98 | + * **Read:** [API Security Fundamentals (Practical DevSecOps E-book)](https://www.practical-devsecops.com/e-books/) |
| 99 | + |
| 100 | +22. **How would you protect a public-facing API from common attacks (e.g., DDoS, injection, abuse)?** |
| 101 | + * **What to listen for:** Using a WAF, API gateway with rate limiting, input validation, strict output encoding, and monitoring for anomalous behavior. |
| 102 | + * **Read:** [API Security Fundamentals (Practical DevSecOps E-book)](https://www.practical-devsecops.com/e-books/) |
| 103 | + |
| 104 | +23. **Explain the OWASP API Security Top 10. Name three and how to mitigate them.** |
| 105 | + * **What to listen for:** e.g., API1: Broken Object Level Authorization (mitigation: implement proper access checks), API2: Broken Authentication (mitigation: strong authentication, protect tokens), API8: Injection (mitigation: input validation, prepared statements). |
| 106 | + * **Read:** [Official OWASP API Security Project](https://owasp.org/www-project-api-security/) (Not in results, but essential) |
| 107 | + |
| 108 | +--- |
| 109 | + |
| 110 | +### **V. Cloud Security (AWS & GCP Focus) (6 Questions)** |
| 111 | + |
| 112 | +24. **Explain the Shared Responsibility Model in AWS/GCP. What is the provider responsible for vs. the customer?** |
| 113 | + * **What to listen for:** Provider: security *of* the cloud (hardware, infrastructure). Customer: security *in* the cloud (OS, network config, data, IAM, patching). |
| 114 | + * **Read:** [AWS Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/) or [GCP Shared Responsibility Model](https://cloud.google.com/docs/security/shared-responsibility) (Not in results, but essential) |
| 115 | + |
| 116 | +25. **What are the core principles of Identity and Access Management (IAM) in the cloud?** |
| 117 | + * **What to listen for:** Principle of Least Privilege, role-based access, regular access reviews, avoiding use of root accounts, and leveraging multi-factor authentication (MFA). |
| 118 | + * **Read:** [Adopt Zero Trust Principles (Check Point)](https://www.checkpoint.com/cyber-hub/cloud-security/devsecops/10-devsecops-best-practices/) |
| 119 | + |
| 120 | +26. **How do you secure an S3 bucket or a GCP Cloud Storage bucket to prevent public exposure?** |
| 121 | + * **What to listen for:** Blocking public access at the account level, using IAM policies instead of bucket ACLs, enabling logging and versioning, using encryption, and scanning with tools. |
| 122 | + * **Read:** [Cloud Threat Modeling (Spectral)](https://spectralops.io/blog/6-threat-modeling-examples-for-devsecops/) |
| 123 | + |
| 124 | +27. **What is Infrastructure as Code (IaC) Security, and why is it critical? Name two tools.** |
| 125 | + * **What to listen for:** Scanning IaC templates (Terraform, CloudFormation) for misconfigurations *before* deployment. Critical for preventing insecure infrastructure from being provisioned. Tools: Checkov, Terrascan, TFsec. |
| 126 | + * **Read:** [Infrastructure as code scanning (Microsoft)](https://www.microsoft.com/en-us/security/business/security-101/what-is-devsecops) |
| 127 | + |
| 128 | +28. **Describe how you would secure a serverless function (AWS Lambda / Google Cloud Functions).** |
| 129 | + * **What to listen for:** Applying least privilege IAM roles, securing the function's trigger (e.g., API Gateway), scanning function code and dependencies, and avoiding secrets in environment variables. |
| 130 | + * **Read:** [Threat Modeling for Modern Environments (Spectral)](https://spectralops.io/blog/6-threat-modeling-examples-for-devsecops/) |
| 131 | + |
| 132 | +29. **How do you achieve network segmentation and isolation in AWS VPC or GCP VPC?** |
| 133 | + * **What to listen for:** Using public/private subnets, security groups (stateful firewalls) and NACLs (stateless firewalls) in AWS; Firewall Rules and VPC Networks in GCP. |
| 134 | + * **Read:** [Cloud Threat Modeling (Spectral)](https://spectralops.io/blog/6-threat-modeling-examples-for-devsecops/) |
| 135 | + |
| 136 | +--- |
| 137 | + |
| 138 | +### **VI. Threat Modeling & Risk Assessment (5 Questions)** |
| 139 | + |
| 140 | +30. **What is threat modeling, and why is it important in a DevSecOps culture?** |
| 141 | + * **What to listen for:** A systematic process to identify and mitigate potential security threats during the design phase. It's crucial for "shifting left" and building security in proactively. |
| 142 | + * **Read:** [Threat Modeling Best Practices for 2025 (Practical DevSecOps)](https://www.practical-devsecops.com/threat-modeling-best-practices/) |
| 143 | + |
| 144 | +31. **Walk me through the STRIDE threat modeling framework.** |
| 145 | + * **What to listen for:** Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege. They should be able to give an example for each. |
| 146 | + * **Read:** [6 Threat Modeling Examples (Spectral)](https://spectralops.io/blog/6-threat-modeling-examples-for-devsecops/) |
| 147 | + |
| 148 | +32. **How does the DREAD model complement STRIDE?** |
| 149 | + * **What to listen for:** STRIDE identifies threats; DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability) is used to rank and prioritize them based on risk. |
| 150 | + * **Read:** [6 Threat Modeling Examples (Spectral)](https://spectralops.io/blog/6-threat-modeling-examples-for-devsecops/) |
| 151 | + |
| 152 | +33. **Who should be involved in a threat modeling session, and why?** |
| 153 | + * **What to listen for:** A cross-functional team: architects, developers, security engineers, DevOps engineers, and product managers. Different perspectives are critical for a thorough analysis. |
| 154 | + * **Read:** [Who Should Be Involved in Threat Modeling? (Practical DevSecOps)](https://www.practical-devsecops.com/threat-modeling-best-practices/) |
| 155 | + |
| 156 | +34. **How would you integrate threat modeling into an Agile/Scrum development process?** |
| 157 | + * **What to listen for:** Conducting lightweight threat modeling as a sprint planning activity for new features or stories, focusing on the new attack surface introduced. |
| 158 | + * **Read:** [Threat Modeling in Agile and CI/CD (Practical DevSecOps)](https://www.practical-devsecops.com/threat-modeling-best-practices/) |
| 159 | + |
| 160 | +--- |
| 161 | + |
| 162 | +### **VII. Books & References for Further Study** |
| 163 | + |
| 164 | +* **General DevSecOps:** |
| 165 | + * *The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win* by Gene Kim |
| 166 | + * *The DevOps Handbook* by Gene Kim, Jez Humble, et al. |
| 167 | + * *Securing DevOps* by Julien Vehent |
| 168 | +* **Threat Modeling:** |
| 169 | + * *Threat Modeling: Designing for Security* by Adam Shostack (Not in results, but essential) |
| 170 | + * [Threat Modeling Best Practices for 2025 (Practical DevSecOps)](https://www.practical-devsecops.com/threat-modeling-best-practices/) |
| 171 | +* **Container/Kubernetes Security:** |
| 172 | + * *Container Security* by Liz Rice (Not in results, but essential) |
| 173 | + * [Kubernetes Security 101 (Practical DevSecOps E-book)](https://www.practical-devsecops.com/e-books/) |
| 174 | +* **Cloud Security:** |
| 175 | + * *AWS Security* by Dylan Shields (Not in results, but essential) |
| 176 | + * *Google Cloud Platform (GCP) Security* by Prashant Priyam (Not in results, but essential) |
| 177 | +* **API Security:** |
| 178 | + * [API Security Fundamentals (Practical DevSecOps E-book)](https://www.practical-devsecops.com/e-books/) |
0 commit comments