Security Engineer Interview Questions


Security Engineer interview questions shared by candidates

Top Interview Questions

Sort: Relevance|Popular|Date
NTT Ltd.
Security Engineer was asked...August 23, 2012

During the technical interview, the second interview asked, "How would you configure trace route in a cisco firewall for a group of windows users?" I repeated the question to make sure I heard it correctly, and he responded with, "Windows fundamentally handles trace route differently than Unix does."

6 Answers

It's unfortunate that the way you were dismissed was a little bit unprofessional and seemingly misinformed. Also, in fairness, it's probably never a good idea to tell a candidate that they're "just average", even in cases where they really are. For what it's worth, I'd like to apologize on behalf of DD (as much as I'm technically allowed to do so) for the way it was handled. However, regarding the original point, the interview itself is specifically designed to fluster you. We actually expect most people to get this particular question wrong. The idea is not for us to see if you know it all but more specifically how you deal with questions you don't know the answer to. (Bonus points if you DO know, obviously.) We certainly don't expect candidates to know everything offhand, we just like to see whether or not you're going to try to BS your way through an answer. Since I wasn't on this particular call, I have no idea how it went for you but I can guarantee that the decision wasn't based on this question alone but was more likely an overall view of your skills based on all of your answers. I do realize that it's no picnic when you're on the phone but for the most part, they do try to take that into consideration. (I was hired over the phone as well, all the way from South Africa.) Less

I do understand what you have said, and I greatly appreciate the apology. I was very excited about this opportunity. I believe based off my experience and my knowledge of the position that I would have been a great asset to the team. I honestly do not know why the engineers I interviewed with or the recruiter would have felt the way the recruiter did. I know that the engineers I spoke with told me that the recruiter would call me with the next steps and I answered every question that they asked, except the afore mentioned question. The following link is my linkedin profile ( This is about all I can say. I was excited and looking forward to the opportunity, but obviously I was not considered. Thank you for your time, response, and consideration. I wish you the best. Less

In window you use tracert which works with icmp echo and reply message and in cisco environment you use traceroute command undp as well as icmp. But you have to configure for firewall to allow icmp replies Less

Show more responses

Write a function that can determine if an input number is a power of 2.

4 Answers

Indeed, it is as the previous poster stated. Quite simple -- my initial thought would have been repeated division by 2 looking for a remainder, but that is much heavier lifting. int is_power_of_2 (int val) { if (!(val & val -1)) { return 1; // val is a power of 2 } else { return 0; } } Less

Multiple answers. Powers of 2 only have a single 1's bit, rest will be 0's. Use that fact. X (LOGICAL AND) (X - 1) = 0 i.f.f. is a power of 2. Less

Sure, but every number is a power of 2, or a sum of powers of 2. For example, 16 is (2^4), and 33 is (2^5 + 2^0). If we want to just see if it is divisible, like Brian mentions, well, modulus operator works fine, but I don't think that is entirely the jist of the question. (X % 2) = 0 => divisible by 2, but not necessarily a power of 2, but in stead a sum of powers of 2. Less

Show more responses

Given a router with a 50 character randomly generated password. how would you gain access to the router?

4 Answers

The second part of the above answer from Krazilee seems wrong. Let's say each character has 94 options (26 upper and 26 lower case letters; 10 digits; 22 special characters). Then the number of permutations for a 50 character randomly generated password is 94^50 = 4.5e98. If your script could check 1 trillion combinations per second, it would take 1.5e79 years to try them all. Even limiting each option to 26 lower case letters it would take 1.8e51 years at this speed. Less

You have to ask clarifying questions on this. Who owns the device? Where is it located? What type of device is it? If the company owns the device, then perform a password reset on it. The process various depending upon the manufacturer of the device. Second, if you have physical access to the device, this makes recovery easier. Third, if it's a router that uses weak encryption and the configurations are backed up automatically, you can run a no-decrypt to retrieve the password. Like cisco password 7. Furthermore, if the system is automatically backed up, and the process is done via this service account logging into the device, you can use this service account to reset the root if it has access to do so. In a secure environment (if the device is hardened appropriately) this will also be impossible. Lastly, you could do a brute force or use rainbow tables, but that is probably not the best idea. Especially if account lock outs and throttling logins by source happen, then you'll have to script differently. To summarize, ask clarifying questions and the point of this question is to understand how you critically think. This question challenges you from a technical ability perspective as well as being efficient with your time. Less

Don’t try to get a successful authentication from the device itself, instead determinate on your use cases hit the human layer, pop their endpoints or go after RADIUS or whatever other AAA they are using, or simply exploit the host if it is open to the web and can be cracked. Less

Show more responses

They asked me about Linux OS.

4 Answers


I want a job

If can you help me to get it

Show more responses

Can two files generate same checksum?

4 Answers

Yes, Hash Collisions.

Can you elaborate more questions


Show more responses

what is an advantage of a domain?

4 Answers

On the contrary, that question can only be understood by an applicant who knows that “Domain” here refers to applying the ISO 27001 standard. It has nothing to do with your website. Less

Central management and organization of a group of devices, users, and resources.

This question was obviously asked by someone who knows nothing about security. What is an advantage of a domain? What type of domain were they asking about? Physical? The name in a DNS? A logically separated environment? You are lucky you were not hired. The VP in charge is unethical and intolerable. Most people there don't like or trust him but he is protected by the COO. Less

Show more responses

what is volatile, static ? how would it affect if the static keyword used for big array inside a function? what are sections of memory and what kind of variable is stored where?

3 Answers

Just clarify one thing, the static variables within a function are not allocated to the function or thread's stack, instead, they are allocated to BSS area, just like other global variables. so it won't affect their function too much. Less

static variable is not stored on stack.

if Volatile used then the compiler dont consider to optimize that variable . Assume that a variable changed at the time of running . But some compiler optimized .to avoid that we use volatile. Static is the keyword which is used to initialized to once that means extra burden for a compiler to keep the variable .and permanantly allocate space in stack.if you diclare static array then stack overflow will occur. Less

Check Point Software Technologies

How does a router differ from a switch?

3 Answers

Switches create a network. Routers connect networks.

Switches divide collision domains, routers divide broadcast domains

i began to describe NAT, nailed the buzzword and was cut off.

Ascend One

How many bits do you need for a subnet size.

3 Answers

Need to know subnetting off top of your head.

The minimum addresses needed is 2 bits for 4 addresses 2^(# of addresses) = 2^2 which used for pint to point links. Max addresses can go as much as class A IP address /8 so for maximum bits is 32-8 = 24 bit Less

If number of addreses required in a subnet is "N" , then you need 2 more (network and bcst addreses) in addition to "N". So "N+2" is rounded of to Next 2 to the power . For e.g if we need 64 addresses in a subnet then , 66 rounded to next 2 to the power is is 2**7 ie 128. so number of bits required is 7. Less

Shape Security

most of questions come from your resume. your project whether is possible to convert into a application

2 Answers

Can you please explain what you mean by the second part of your sentence

The key in these questions is to cover the fundamentals, and be ready for the back-and-forth with the interviewer. Might be worth doing a mock interview with one of the Shape Security or ex-Shape Security Security Engineer experts on Prepfully? They give real-world practice and guidance, which is pretty helpful. Less

Viewing 1 - 10 of 3,442 interview questions

See Interview Questions for Similar Jobs

malware analystnetwork engineersecurity consultantsecurity administratorsecurity analystsecurity program managersecurity researchersecurity architectsecurity specialistpenetration tester

Glassdoor has 3,442 interview questions and reports from Security engineer interviews. Prepare for your interview. Get hired. Love your job.