November 25, 2025
12 min read
Junior Security Engineer Interview Questions: Complete Guide
interview
career-advice
job-search
entry-level
MB
Milad Bonakdar
Author
Master essential cybersecurity fundamentals with comprehensive interview questions covering CIA triad, OWASP Top 10, encryption, firewalls, and security best practices for junior security engineer roles.
Introduction
Security Engineers protect organizations from cyber threats by implementing security controls, monitoring systems, and responding to incidents. As a junior security engineer, you'll need foundational knowledge of security principles, common vulnerabilities, and defensive technologies.
This guide covers essential interview questions for junior security engineers, focusing on core security concepts and practical skills.
Security Fundamentals
1. Explain the CIA Triad.
Answer: The CIA Triad is the foundation of information security:
Confidentiality:
- Only authorized users can access data
- Achieved through: encryption, access controls, authentication
Integrity:
- Data remains accurate and unmodified
- Achieved through: hashing, digital signatures, checksums
Availability:
- Systems and data are accessible when needed
- Achieved through: redundancy, backups, DDoS protection
Loading diagram...
Example Violations:
- Confidentiality: Data breach exposing customer information
- Integrity: Attacker modifying financial records
- Availability: DDoS attack taking down website
Rarity: Very Common
Difficulty: Easy
OWASP Top 10
2. Name three items from the OWASP Top 10 and explain them.
Answer: OWASP Top 10 lists the most critical web application security risks:
1. Injection (SQL Injection): Attacker inserts malicious code into queries.
# Vulnerable code
username = request.GET['username']
query = f"SELECT * FROM users WHERE username = '{username}'"
# Attack: username = "admin' OR '1'='1"
# Secure code (parameterized query)
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))2. Broken Access Control: Users can access resources they shouldn't.
# Vulnerable: No authorization check
@app.route('/admin/users/<user_id>')
def get_user(user_id):
return User.query.get(user_id)
# Secure: Check authorization
@app.route('/admin/users/<user_id>')
@require_admin
def get_user(user_id):
if not current_user.is_admin:
abort(403)
return User.query.get(user_id)3. Cross-Site Scripting (XSS): Attacker injects malicious scripts into web pages.
<!-- Vulnerable -->
<div>Welcome, {{ username }}</div>
<!-- Attack -->
username = "<script>alert('XSS')</script>"
<!-- Secure (escape output) -->
<div>Welcome, {{ username | escape }}</div>Rarity: Very Common
Difficulty: Medium
3. How do you perform vulnerability management?
Answer: Vulnerability management is a continuous process of identifying, evaluating, and remediating security weaknesses.
Process:
Loading diagram...
Vulnerability Scanning:
# Nmap vulnerability scan
nmap --script vuln 192.168.1.100
# OpenVAS scan
openvas-start
# Access web interface at https://localhost:9392
# Nessus scan (commercial)
# Configure via web interfaceNessus Example:
# Automate Nessus scanning
import requests
import time
class NessusScanner:
def __init__(self, url, access_key, secret_key):
self.url = url
self.headers = {
'X-ApiKeys': f'accessKey={access_key}; secretKey={secret_key}'
}
def create_scan(self, name, targets):
data = {
'uuid': 'template-uuid', # Basic Network Scan
'settings': {
'name': name,
'text_targets': targets
}
}
response = requests.post(
f'{self.url}/scans',
headers=self.headers,
json=data,
verify=False
)
return response.json()['scan']['id']
def launch_scan(self, scan_id):
requests.post(
f'{self.url}/scans/{scan_id}/launch',
headers=self.headers,
verify=False
)
def get_results(self, scan_id):
response = requests.get(
f'{self.url}/scans/{scan_id}',
headers=self.headers,
verify=False
)
return response.json()
# Usage
scanner = NessusScanner('https://nessus:8834', 'access_key', 'secret_key')
scan_id = scanner.create_scan('Weekly Scan', '192.168.1.0/24')
scanner.launch_scan(scan_id)Patch Management:
# Linux patch management
# Ubuntu/Debian
sudo apt update
sudo apt list --upgradable
sudo apt upgrade -y
# CentOS/RHEL
sudo yum check-update
sudo yum update -y
# Automated patching
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgradesPrioritization Matrix:
| CVSS Score | Exploitability | Asset Criticality | Priority |
|---|---|---|---|
| Critical (9-10) | Public exploit | Production | P1 (Immediate) |
| High (7-8.9) | PoC available | Production | P2 (1 week) |
| Medium (4-6.9) | No exploit | Internal | P3 (1 month) |
| Low (0-3.9) | No exploit | Dev/Test | P4 (Next cycle) |
Remediation Tracking:
# Vulnerability tracking
class VulnerabilityTracker:
def __init__(self):
self.vulnerabilities = []
def add_vulnerability(self, vuln):
self.vulnerabilities.append({
'id': vuln['id'],
'severity': vuln['severity'],
'asset': vuln['asset'],
'status': 'open',
'discovered': datetime.now(),
'sla_deadline': self.calculate_sla(vuln['severity'])
})
def calculate_sla(self, severity):
sla_days = {
'critical': 7,
'high': 30,
'medium': 90,
'low': 180
}
return datetime.now() + timedelta(days=sla_days[severity])
def get_overdue(self):
return [v for v in self.vulnerabilities
if v['status'] == 'open' and
datetime.now() > v['sla_deadline']]Rarity: Common
Difficulty: Easy-Medium
Encryption Basics
4. What's the difference between symmetric and asymmetric encryption?
Answer:
Symmetric Encryption:
- Same key for encryption and decryption
- Fast
- Examples: AES, DES, 3DES
Asymmetric Encryption:
- Public key encrypts, private key decrypts
- Slower
- Examples: RSA, ECC
# Symmetric encryption (AES)
from cryptography.fernet import Fernet
# Generate key
key = Fernet.generate_key()
cipher = Fernet(key)
# Encrypt
encrypted = cipher.encrypt(b"Secret message")
# Decrypt
decrypted = cipher.decrypt(encrypted)
# Asymmetric encryption (RSA)
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
# Generate key pair
private_key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048
)
public_key = private_key.public_key()
# Encrypt with public key, decrypt with private keyUse Cases:
- Symmetric: Encrypting large data (files, databases)
- Asymmetric: Key exchange, digital signatures, SSL/TLS
Rarity: Very Common
Difficulty: Easy-Medium
5. How does SSL/TLS work and how do you manage certificates?
Answer: SSL/TLS encrypts data in transit between client and server.
TLS Handshake:
Loading diagram...
How It Works:
- Client Hello: Client sends supported cipher suites
- Server Hello: Server chooses cipher, sends certificate
- Certificate Verification: Client validates certificate chain
- Key Exchange: Establish shared secret
- Encrypted Communication: Use symmetric encryption
Certificate Components:
# View certificate details
openssl x509 -in certificate.crt -text -noout
# Certificate contains:
# - Subject (domain name)
# - Issuer (CA)
# - Validity period
# - Public key
# - SignatureCertificate Management:
Generate CSR (Certificate Signing Request):
# Generate private key
openssl genrsa -out private.key 2048
# Generate CSR
openssl req -new -key private.key -out request.csr
# View CSR
openssl req -text -noout -verify -in request.csrSelf-Signed Certificate (Testing):
# Generate self-signed certificate
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
# Combine for server use
cat cert.pem key.pem > server.pemInstall Certificate:
# Nginx
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/nginx/ssl/cert.pem;
ssl_certificate_key /etc/nginx/ssl/key.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
# Apache
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/key.pem
SSLCertificateChainFile /etc/apache2/ssl/chain.pem
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5
</VirtualHost>Common Misconfigurations:
1. Weak Protocols:
# Bad: Allows SSLv3, TLSv1.0
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
# Good: Only modern TLS
ssl_protocols TLSv1.2 TLSv1.3;2. Weak Ciphers:
# Test SSL configuration
sslscan example.com
nmap --script ssl-enum-ciphers -p 443 example.com
# Or use online tools
# https://www.ssllabs.com/ssltest/3. Expired Certificates:
# Check certificate expiration
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | \
openssl x509 -noout -dates
# Monitor expiration
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | \
openssl x509 -noout -enddateCertificate Automation (Let's Encrypt):
# Install certbot
sudo apt install certbot python3-certbot-nginx
# Obtain certificate
sudo certbot --nginx -d example.com -d www.example.com
# Auto-renewal (cron)
0 0 * * * certbot renew --quietTroubleshooting:
# Test TLS connection
openssl s_client -connect example.com:443 -servername example.com
# Verify certificate chain
openssl verify -CAfile ca-bundle.crt certificate.crt
# Check certificate matches private key
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5
# Hashes should matchRarity: Common
Difficulty: Medium
Firewalls
6. Explain stateful vs stateless firewalls.
Answer:
Stateless Firewall:
- Examines each packet independently
- No connection tracking
- Faster but less secure
- Example: Basic packet filter
Stateful Firewall:
- Tracks connection state
- Remembers previous packets
- More secure
- Example: Modern firewalls
# iptables (stateful)
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow new SSH connections
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Drop everything else
iptables -A INPUT -j DROPConnection States:
- NEW: First packet of connection
- ESTABLISHED: Part of existing connection
- RELATED: Related to existing connection
- INVALID: Doesn't match any state
Rarity: Common
Difficulty: Medium
SIEM
7. What is a SIEM and why is it important?
Answer: SIEM (Security Information and Event Management) centralizes log collection and analysis.
Core Functions:
- Log Collection: Gather logs from multiple sources
- Normalization: Standardize log formats
- Correlation: Identify patterns and relationships
- Alerting: Notify on suspicious activity
- Reporting: Compliance and forensics
Loading diagram...
Use Cases:
- Detect brute force attacks
- Identify data exfiltration
- Monitor privileged access
- Compliance reporting (PCI-DSS, HIPAA)
Popular SIEM Tools:
- Splunk
- ELK Stack (Elasticsearch, Logstash, Kibana)
- IBM QRadar
- ArcSight
Rarity: Common
Difficulty: Medium
8. What is the difference between IDS and IPS?
Answer: IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) monitor network traffic for threats.
Key Differences:
| Feature | IDS | IPS |
|---|---|---|
| Action | Detects and alerts | Detects and blocks |
| Placement | Out-of-band (passive) | Inline (active) |
| Impact | No traffic disruption | Can block legitimate traffic |
| Response | Manual | Automatic |
| False Positives | Less critical | More critical |
IDS Deployment:
Loading diagram...
IPS Deployment:
Loading diagram...
Snort Configuration (IDS/IPS):
# Install Snort
sudo apt install snort
# Configure network
sudo vi /etc/snort/snort.conf
# Set HOME_NET
ipvar HOME_NET 192.168.1.0/24
ipvar EXTERNAL_NET !$HOME_NET
# Run in IDS mode
sudo snort -A console -q -c /etc/snort/snort.conf -i eth0
# Run in IPS mode (inline)
sudo snort -Q -c /etc/snort/snort.conf -i eth0Snort Rules:
# Rule syntax
# action protocol src_ip src_port -> dst_ip dst_port (options)
# Detect SQL injection
alert tcp any any -> $HOME_NET 80 (msg:"SQL Injection Attempt"; \
content:"UNION SELECT"; nocase; sid:1000001; rev:1;)
# Detect port scan
alert tcp any any -> $HOME_NET any (msg:"Port Scan Detected"; \
flags:S; threshold:type both, track by_src, count 20, seconds 60; \
sid:1000002; rev:1;)
# Detect brute force SSH
alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force"; \
flags:S; threshold:type both, track by_src, count 5, seconds 60; \
sid:1000003; rev:1;)
# Block malicious IP (IPS mode)
drop tcp 203.0.113.50 any -> $HOME_NET any (msg:"Blocked Malicious IP"; \
sid:1000004; rev:1;)Suricata (Modern Alternative):
# Install Suricata
sudo apt install suricata
# Update rules
sudo suricata-update
# Run Suricata
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
# View alerts
sudo tail -f /var/log/suricata/fast.logAlert Analysis:
# Parse Snort alerts
import re
from collections import Counter
def analyze_snort_alerts(log_file):
alerts = []
with open(log_file, 'r') as f:
for line in f:
# Parse alert
match = re.search(r'\[\*\*\] \[(\d+):(\d+):(\d+)\] (.+?) \[\*\*\]', line)
if match:
alerts.append({
'sid': match.group(1),
'message': match.group(4),
'line': line
})
# Top alerts
alert_counts = Counter([a['message'] for a in alerts])
print("Top 10 Alerts:")
for alert, count in alert_counts.most_common(10):
print(f"{count:5d} - {alert}")
return alerts
# Usage
alerts = analyze_snort_alerts('/var/log/snort/alert')Common Attack Signatures:
# SQL Injection
content:"' OR 1=1--";
content:"UNION SELECT";
# XSS
content:"<script>";
content:"javascript:";
# Command Injection
content:";cat /etc/passwd";
content:"|whoami";
# Directory Traversal
content:"../../../";
# Shellshock
content:"() { :; };";Best Practices:
- Regularly update signatures
- Tune rules to reduce false positives
- Monitor IPS for blocked legitimate traffic
- Integrate with SIEM for correlation
- Test in IDS mode before enabling IPS
Rarity: Common
Difficulty: Medium
Security Best Practices
9. How do you secure passwords?
Answer: Multi-layered password security:
1. Hashing (not encryption):
import hashlib
import os
def hash_password(password):
# Generate salt
salt = os.urandom(32)
# Hash password with salt
key = hashlib.pbkdf2_hmac(
'sha256',
password.encode('utf-8'),
salt,
100000 # iterations
)
# Store salt + hash
return salt + key
def verify_password(stored_password, provided_password):
salt = stored_password[:32]
stored_key = stored_password[32:]
key = hashlib.pbkdf2_hmac(
'sha256',
provided_password.encode('utf-8'),
salt,
100000
)
return key == stored_key2. Password Policy:
- Minimum length (12+ characters)
- Complexity requirements
- Password history
- Expiration (controversial)
3. Additional Security:
- Multi-factor authentication (MFA)
- Account lockout after failed attempts
- Password strength meter
- Breach detection (Have I Been Pwned API)
Never:
- Store passwords in plaintext
- Use weak hashing (MD5, SHA1)
- Hash without salt
Rarity: Very Common
Difficulty: Medium
Incident Response
10. What are the phases of incident response?
Answer: NIST Incident Response Lifecycle:
1. Preparation:
- Develop IR plan
- Train team
- Set up tools and monitoring
2. Detection & Analysis:
- Identify incidents
- Analyze scope and impact
- Prioritize response
3. Containment:
- Short-term: Isolate affected systems
- Long-term: Apply patches, rebuild systems
4. Eradication:
- Remove malware
- Close vulnerabilities
- Strengthen defenses
5. Recovery:
- Restore systems
- Monitor for reinfection
- Return to normal operations
6. Post-Incident:
- Document lessons learned
- Update procedures
- Improve defenses
Loading diagram...
Rarity: Common
Difficulty: Medium
Conclusion
Preparing for a junior security engineer interview requires understanding security fundamentals and practical skills. Focus on:
- Fundamentals: CIA triad, security principles
- OWASP: Common web vulnerabilities
- Vulnerability Management: Scanning, patching, prioritization
- Cryptography: Encryption, hashing, certificates
- SSL/TLS: Certificate management, common misconfigurations
- Defensive Tools: Firewalls, SIEM, IDS/IPS
- Best Practices: Secure coding, password security
- Incident Response: Detection, containment, recovery
Stay updated with security news, practice in labs, and pursue certifications (Security+, CEH). Good luck!
