Are algorithms and data architecture normal for AppSec interview positions? - 0xDEFC0DE
======
rvz
Suppose you want to explain to the interviewer a basic heap buffer-overflow
vulnerability, use-after-free, or a simple stack-smashing attack. Are you
telling me that you shouldn't be expecting any data-structures / algorithms
questions to come up? I just mentioned 'stack','heap' and 'buffer' which that
is a fixed-sized array. Heck, the static-analyzers that are used to detect
use-after-free's use advanced algorithms.

Data structures and algorithms are now assumed to be the new normal in
interviewing as a whole. Expect it in AppSec too if you want an advantage over
the other candidates.

~~~
0xDEFC0DE
Data Architecture -- as in, designing database tables, not data structures. I
was asked to design some tables for a payroll system and calculating
paychecks.

And for algorithms, I mean stuff like this:
[https://leetcode.com/problems/word-
search/](https://leetcode.com/problems/word-search/)

I would expect these for a normal developer position.

Do you mean I have to practice pentesting on places like HackTheBox AND algo's
on leetcode and similar if I ever want to be in AppSec?

~~~
rvz
> Do you mean I have to practice pentesting on places like HackTheBox AND
> algo's on leetcode and similar if I ever want to be in AppSec?

TLDR: To some extent, Yes. Some AppSec employers want both or some want in-
depth security knowledge, but I won't risk not knowing algos when applying to
any role related to software.

As much as I do not like this way of interviewing, the reason why employers
use Leetcode is to give you the chance to 'prove your skills' if you don't
have any experience or a portfolio. I would not risk going to the interview
not studying algorithms with any software related role; including AppSec.

Eventually, there will be too many candidates trying to convince the hiring
manager to select them for one job. In the case of the security industry, some
might use security blog-posts, references to CVE's, HackerOne reports or CTFs
to shortlist them and bypass the leetcode stage, which I would prefer that
over using leetcode. But not all AppSec employers look at this.

So yes, I'm afraid to show you are the 'ideal candidate', you have to know
both algorithms with whatever domain you want to enter in to be on the safe
side.

~~~
0xDEFC0DE
I think I’ll just keep trying until I get a company with a different interview
process. It’s possible that they thought I was applying to a normal dev
position.

I would have expected questions about OWASP top 10 or pentesting questions but
these two questions were all I got. They asked about nothing recent I had
done.

And frankly that seems like a shitload of work for not a lot of extra salary.

