Questions below showcases fictional use cases. Please use you own experience and stories while preparing for an interview.
Why you chose to get into Pen Testing
As an individual, I like to constantly learn new things. With penetration testing, I have always liked the idea of playing a vital role in identifying potential breakpoints across the applications and infrastructure and explore new ways to secure the environment.
As the ecosystem is dynamic, and new technologies have been emerging, it helps me to maintain enough adrenaline rush, to resolve interesting industry challenges – securing environments across industries.
Your biggest Pen Testing challenge that you have faced?
There have been multiple challenging situations which I have faced, but one of the most intriguing challenge has been for an engagement, wherein our role was to assess the security of a unified application and its associated infrastructure for one of the Airport Operations Control Center (APOC).
As the application had been hosted on a public cloud platform, we had multiple limitations on going all way for security testing the application and associated infrastructure. As the application was not hosted on a dedicate tenant in the cloud, we had to take numerous precautions to make sure our activity and POCs didn’t impact other tenant’s (and was within the testing criteria defined by the public provider).
Though, during the testing, we had identified multiple vulnerabilities across the cloud services which impacted our client and also other associated tenant’s. Now, the key challenge was to ensure, we didn’t breach our client’s agreement with the public cloud provider and also not to face a situation wherein we could be held responsible to access other tenant’s data, which as per the cloud provider’s security policy, they were required to inform other tenant.
Through this engagement, we got multiple opportunities to redefine our TVM frameworks and methodology to align and safeguard our team for such situations.
STAR (Situation, Task, Action, Result) story
Situation: We were engaged to perform a security architecture and technical assessment of an application hosted on the public cloud.
- We analyze the attack surfaces and threats corresponding to:
- application design and architecture
- Internal and External cloud interfaces
- trust relationships across application/network
- technology related processes supporting the application
- We defined a customized framework for the assessment and conducted the cloud security architecture review
We familiarized the client with our proven cloud security delivery frameworks and tactical approach, which helped the client gain a better understanding, and develop appropriate mitigation plans for risks associated with cloud platforms across multiple service and deployment models.
We also got involved to lead the cloud security design and got involved during the implementation and testing of various elements of the digital platform including delivering on the operational and go-live phases of the program. We were able to review the deployment architecture on cloud and validated the security of the application deployed on the cloud.
- Client awarded another project associated with Cloud Security wherein we assisted the client to migrate critical servers to the cloud.
- The client got increased visibility into enterprise use and risks of cloud services.
- Increased capability to protect data in cloud services, based on potential risk exposure
- Helped set standards and expectations with the client and influence the security testing and validation strategies
- Provided an integrated global approach to cloud – design by security with an enterprise view to the development squad