Suppose you want to explain to the interviewer a basic heap buffer-overflow vulnerability, use-after-free, or a simple stack-smashing attack. Are you telling me that you shouldn't be expecting any data-structures / algorithms questions to come up? I just mentioned 'stack','heap' and 'buffer' which that is a fixed-sized array. Heck, the static-analyzers that are used to detect use-after-free's use advanced algorithms.
Data structures and algorithms are now assumed to be the new normal in interviewing as a whole. Expect it in AppSec too if you want an advantage over the other candidates.
Data Architecture -- as in, designing database tables, not data structures. I was asked to design some tables for a payroll system and calculating paychecks.
> Do you mean I have to practice pentesting on places like HackTheBox AND algo's on leetcode and similar if I ever want to be in AppSec?
TLDR: To some extent, Yes. Some AppSec employers want both or some want in-depth security knowledge, but I won't risk not knowing algos when applying to any role related to software.
As much as I do not like this way of interviewing, the reason why employers use Leetcode is to give you the chance to 'prove your skills' if you don't have any experience or a portfolio. I would not risk going to the interview not studying algorithms with any software related role; including AppSec.
Eventually, there will be too many candidates trying to convince the hiring manager to select them for one job. In the case of the security industry, some might use security blog-posts, references to CVE's, HackerOne reports or CTFs to shortlist them and bypass the leetcode stage, which I would prefer that over using leetcode. But not all AppSec employers look at this.
So yes, I'm afraid to show you are the 'ideal candidate', you have to know both algorithms with whatever domain you want to enter in to be on the safe side.
I think I’ll just keep trying until I get a company with a different interview process. It’s possible that they thought I was applying to a normal dev position.
I would have expected questions about OWASP top 10 or pentesting questions but these two questions were all I got. They asked about nothing recent I had done.
And frankly that seems like a shitload of work for not a lot of extra salary.
4 comments
[ 4.0 ms ] story [ 18.2 ms ] threadData structures and algorithms are now assumed to be the new normal in interviewing as a whole. Expect it in AppSec too if you want an advantage over the other candidates.
And for algorithms, I mean stuff like this: https://leetcode.com/problems/word-search/
I would expect these for a normal developer position.
Do you mean I have to practice pentesting on places like HackTheBox AND algo's on leetcode and similar if I ever want to be in AppSec?
TLDR: To some extent, Yes. Some AppSec employers want both or some want in-depth security knowledge, but I won't risk not knowing algos when applying to any role related to software.
As much as I do not like this way of interviewing, the reason why employers use Leetcode is to give you the chance to 'prove your skills' if you don't have any experience or a portfolio. I would not risk going to the interview not studying algorithms with any software related role; including AppSec.
Eventually, there will be too many candidates trying to convince the hiring manager to select them for one job. In the case of the security industry, some might use security blog-posts, references to CVE's, HackerOne reports or CTFs to shortlist them and bypass the leetcode stage, which I would prefer that over using leetcode. But not all AppSec employers look at this.
So yes, I'm afraid to show you are the 'ideal candidate', you have to know both algorithms with whatever domain you want to enter in to be on the safe side.
I would have expected questions about OWASP top 10 or pentesting questions but these two questions were all I got. They asked about nothing recent I had done.
And frankly that seems like a shitload of work for not a lot of extra salary.