With all respect to the interviewer's point of view, I believe some of the questions did not quite match the job description.
To start with, here are the "responsibilities" taken from the job description:
Responsibilities:
· Application security reviews
· Penetration testing
· Projects and research work as needed
· Security training and outreach to internal development teams
· Security guidance documentation
· Security tool development
· Security metrics delivery and improvements
· Assistance with recruiting activities and administrative work
As per item number 1, this is what I do on a daily basis at my current work (especially on a code security level), however, there were no questions regarding that at all.
The second item is something I have done in the past, I must admit I am no expert on that but still, no direct questions were asked in relation to that, only a few indirect questions about SQL Injection and XSS (all of which I successfully answered), so this item was only partially covered.
A per 3rd item, only questions related to types and formal definition of "threat modeling" was asked. I did not know the official description and different types of that but this is something I do at my current job on a regular basis (in average, every month). The only thing is, what Threat modelling means for my current company is different from its general meaning and I made all that clear to the interviewer but apparently it wasnt enough. Long story short on that, I do have experience on Threat Modelling but from the way it was asked, it sounded like I did not know it enough.
As per item 4, this is one of strongest points yet it was not even mentioned by the interviewer. At my current company, we conduct such training for development teams more or less every month. Plus, I am also personally an instructor on Udemy (which is also stated in my CV).
As per item 5, Documentation in English is also one of my strongest points but it wasnt mentioned at all either.
Item 6, here the interviewer asked one question: "what was the last tool and which problem did it solve?" it was indeed a good question and I gave a good answer but the thing is, it did not even cover the surface of my security tool development experience in Python! As the last tool I worked on wasnt even connected to security
Item 7 is also something I am familiar with as improving metrics is something we do regularly for our SAST project, since you can say we are the ones who started this project from scratch in my current company. In other words, we still have the ownership of the project in addition to the technical aspects. Therefore, we are still working on improving the metrics (e.g. reducing the number of false-positives). This item was not mentioned either.
Per item 8, I dont have experience on that but if it was asked, I would say I would be willing to do that.
Instead of focusing on those areas, the interviewer decided to start the technical part with a totally different subject, i.e. internals of SSH.
Now one might still argue that this is something an application security engineer should know that but actually this can be only considered as an additional attribute (as it is stated under "preferred qualifications" and only after making sure that the main responsibilities are covered. However, for such a position, if one starts the technical interview around that, in my opinion, something is just not right. Furthermore, this Network topic is not something I am completely blank on at all either. In fact, I do have experience on packet analysis and Network Security since I worked on that in the past but as you can imagine, for the last 1,5 year I have been working on a completely different field (Application sec/code sec). As a side note, I can easily recover that after reading some documentation for 10-15 minutes.
There were 1 or 2 more questions which I could not answer (I believe one of them was on GPG encryption), all of which also suffered from the same thing
In addition to all of that, I made it clear to the interviewer that I am interested in Machine Learning and its relationship with security. Moreover, I added that I had the mathematical background ) for that as I studied Electronics Engineering in one of the best engineering faculties of Turkey (probably the best) and if enough opportunity was given, I would be ready to learn all the ML stuff and contribute.
How many of the applicants for IT Security can say something like that in your opinion? I am pretty sure most of them dont even know anything about basic things like limits, series, derivatives, probability etc. My math knowledge has also become a bit rusty as I learnt all that years ago but still, for me it would be a matter of "re-learning"
I have also sent a similar email to AWS recruitment team after the interview but they did not even bother to answer.
