Amazon Interview experience for Application Security Engineer
--
Applying for the Job
I have applied for this role of Security Engineer on Amazon site in March 1st week. To my surprise after 4 days, I got the call from Technical Recruiter regarding the application and I was asked to share my resume and experience in years as requirement was minimum 2 years.
The very next day I received the call to discuss the timeline to schedule my phone screen round.
Round 1: Phone Screen (Elimination Round)
It was an elimination round conducted by the hiring manager based out of Bengaluru, India for around 75 minutes.
Problem 1 (20 minutes): I was firstly asked to review a python code and find as much security issues as I can in 15 minutes and next 5 minutes were utilized by hiring manager to discuss any 3–4 interesting issues that I reported in detail (tried to confuse me whether it is actually an issue or not (Be Confident!)) and the best part was he also told me 1 vulnerability which I missed at the end.
Problem 2 (20 minutes): Then he jumped on to threat modelling question, again I was given 15 minutes to prepare a basic threat model (due to less time) following STRIDE model and next 5 minutes were utilized by hiring manager in reviewing and cross questioning on the threat model prepared by me. This was a bit easy one and recruiter seemed to be happy with my solution and approach .
Suggestion: Ask as many questions as you can before going on to prepare the threat model.
Problem 3 (15 minutes): Some basic security questions (AppSec) and Why Amazon? This went on for 15 minutes
Problem 4 (15 minutes): This was a leadership principle question (These leadership principle questions will be asked in each and every round so be prepared).
Suggestion: Always take example from your corporate journey and not of school/college/personal ones. The most important one is to follow STAR (Situation — Task — Action — Result) format while answering. Be prepared for some generic questions before head as they will surely gonna cross question you based on your answer and if you made up a story then they will catch the same.
NOTE: Leadership questions are as important in your selection journey as technical ones.
Last 5 minutes: In last I was given 5 minutes to ask anything regarding Amazon or security team.
What next? I got the mail regarding the feedback 3 days after my hiring manager round that I have cleared the same and they want to go ahead. HR asked me to provide some time slots in next week to conduct 4 back to back Technical rounds 1 hour each (non-elimination). On basis of feedback from all these 4 rounds, your fate will be decided.
Round 2: Technical Interview (Round 1)
The interviewer was from Dublin with 6 years of experience in Product Security. We both started with an introduction of both of us
Problem 1 (15 minutes): I was firstly asked to review a java code and find as much security issues as I can in 15 minutes and next 5 minutes were utilized by him to discuss remediation of almost all the security issues that I reported. In my case, for 2–3 vulnerabilities, interviewer went in detail (tried to confuse me as well but I remained confident).
Problem 2 (30 minutes): Then he jumped on to the coding problem. He was handy with some codes. He firstly asked me to choose my preferred language (I replied python). So he gave me a half written python code with all libraries imported and some parameters defined.
Question: The problem was to understand that half written code and then explain him what you understand before completing the same so as he can guide you in case you are in wrong direction and then complete the same. I remember vaguely about the code so refraining from mentioning here. This was a easy-medium problem and not a hard one.
Suggestion: If you are not comfortable anywhere, tell them and ask for help instead of doing anything and at last wasting interviewer’s time. The motive behind this problem was to understand if you can complete a leftover code/problem of others in case he/she leaves or not available as Automation/Scripting is always a core requirement in product security teams.
Problem 3(10 minutes): This was a leadership principle question.
Last 5 minutes: In last I was given 5 minutes to ask anything regarding Amazon or AppSec team.
Round 3: Technical Interview (Round 2)
The interviewer was from Dublin with around 10 years of experience in Product Security. We both started with an introduction of both of us.
Problem 1 (15 minutes): In first 15 minutes I was asked questions of network security and cryptography
Questions: Can’t reveal exact questions but they were situational questions based on network security and cryptography suggestions.
Problem 2 (15 minutes): In next 15 minutes I was asked about 8–9 vulnerabilities along with their remediation (not limited to OWASP TOP 10).
Question: Random vulnerabilities not limited to OWASP Top 10 (These were not straight questions but with some twists and indirect references.)
Problem 3 (15 minutes): In next 15 minutes I was asked about cloud security (if you have knowledge of some other cloud than AWS then also it is fine).
Problem 4 (10 minutes): This was a leadership principle question.
Last 5 minutes: In last I was given 5 minutes to ask anything regarding Amazon or security team.
Round 4 : Technical Interview (Round 3)
The interviewer was from London with around 7 years of experience in Product Security. We both started with an introduction of both of us.
Question 1 (45 minutes): In this round only 1 question was asked which was based on a threat model. Interviewer firstly asked me if i am comfortable with cloud (AWS) as the threat model diagram also included some cloud stuff.
Once I gave go-ahead, I was presented with a threat model diagram and firstly I had to explain him the whole diagram, he was fully convinced with my understanding so after that I had to perform threat model using STRIDE model and at last he cross questioned me on my answers and also cross questioned me more on cloud related stuff and their remediation as well. This went for 45 minutes.
Problem 4 (10 minutes): This was a leadership principle question.
Last 5 minutes: In last I was given 5 minutes to ask anything regarding Amazon or security team.
Round 5: Technical Interview (Round 4)
This round was also conducted by my hiring manager having around 15 years of experience based out of Bengaluru, India and this was mixture of leadership + technical questions. There was 1 more guy who was shadowing the hiring manager in this round.
Problem (60 minutes): I was asked 3 leadership questions (each for 20 minutes). Based on my answers, he asked technical as well as leadership questions like (it can be about some specific vulnerability, some projects and it’s approach, how you lead the project, how you convinced your manager or some developer/QA to fix any specific vulnerability and what steps you took if they denied or gave high SLA time). You can even be asked questions on your bug bounty journey if you have mentioned in your resume etc. There is nothing specific for this round, you will be asked questions based on your answers and resume!
Last 5 minutes: In last I was given 5 minutes to ask anything regarding Amazon or security team. This was my last round and he told it can take 1–2 weeks for the final feedback.
Summary: It was an awesome interview experience as all the rounds covered almost all the important topics in a detailed yet planned manner. It was first time I was interviewed by someone outside India so faced some issues in starting 5 minutes to get comfortable with their ascents.
After 5 weeks (Due to appraisal time March-April, it got delayed) I received a call from HR that I got selected and they want to go ahead with my profile. I accepted the offer.
