Full Disclosure: I am a security engineer @ Google and the following are my own opinions.
I have received a ton of questions from students and professionals alike around coding, data structures and algorithms in security engineering interviews which has finally motivated me enough to write a dedicated post on this topic. This topic is a separate question type as compared to the open ended questions which I have already addressed in a previous post. In this post, I will be addressing the most common concerns around this topic in a way that makes sense, provide guidelines on how to gauge yourself as you develop your skills, and also answer a few frequently asked questions along the way. So with that, let’s dive right in.
Over time coding has become an increasingly important aspect of security engineering interviews and in my humble opinion, this will stay for time to come. Let me explain – Based on my recent observation from looking at security engineering job descriptions and my personal interview experiences, companies of pretty much all shapes and sizes are now explicitly specifying at least one coding/scripting based requirement directly in their job descriptions. The reason behind this is pretty straightforward. The security field is evolving faster than ever with increasingly complex problems being surfaced (e.g. can you deal with a million false positives and find that one needle in the haystack in your alerts?) and different concepts being applied in this field e.g. machine learning applications within security. Tackling this exponential growth and keeping up with business requirements require engineers who can write efficient tools and maintain them. Not only that but automation of repetitive tasks (e.g. your everyday alert triage process which you can now do in your sleep) has the potential to save an organization thousands of dollars in productivity hours every year. Therefore having engineers on board who possess the skill of writing, testing, and maintaining code has a good return on investment for organizations dealing with evolving challenges.
Now with that background, it should be a no brainer that security engineers should not only develop their coding skills but also hone them as much as a dedicated software engineer would. For this very reason, I tend to imagine security engineers as a hybrid mix of software engineers (who can produce and maintain high-quality efficient code), site reliability engineers (who can do operations work e.g. be on-call, perform investigations with a security mindset), and data analysts (who can make logical conclusions and perform analysis on large data sets). So the next obvious question is – Are you saying I need to be an expert at coding? The short answer is no, not every job requires that level, but in general the better you get at it, the stronger your chances of cracking the coding portion of the interview. I have come up with a way to give you the reader an approximate idea of levels by comparing this with a concept from psychology. Let’s first understand the Maslow hierarchy of needs which is a motivational theory in psychology comprising a five-tier model of human needs. It describes the five human needs in a pyramid form where the most fundamental physiological need is at the very bottom and the need for self-actualization and transcendence is at the very top. Moving to higher levels in the hierarchy corresponds to growth in personal development. I use this concept and apply it here to describe the “levels” as one “grows” their coding skills by using a similar pyramid for coding levels.
The physiological needs comprise food, water, warmth, shelter, etc. which I directly compare to the basic working knowledge of coding, data structures and algorithms. This means that you should be familiar with at least a language of your choice and know the basic data structures, common algorithms for operations on them, and their associated time and space complexities. The “basic” data structures I have in mind here start with stacks, queues, linked lists, maps, etc, and the list (pun intended) goes on. By basic algorithms I have searching, sorting, insertion/deletion etc in mind.
Going up the hierarchy comes the need for safety and security. I compare this with a proficiency in the basics along with practical knowledge and application of data structures that are considered beyond basics e.g. different types of trees, graphs, etc. At this level, you have developed a general intuition of runtime of a class of problems and be able to comfortably select the optimal data structures for a small to medium sized problem.
Further up the chain comes the requirement of love. I make this parallel with the coding level of advanced (you definitely love coding if you enter this level :)). This involves everything from the intermediate level along with grasping the advanced data structures e.g. Tries, AVL, B-Trees, etc as well as recognizing optimal patterns of programming e.g. whether dynamic programming will be a good solution here to this problem as it looks similar to another problem I have seen before? An engineer at this level can break down a large problem into various subproblems and select the optimal data structures and the applicable algorithm to solve each subset of problems thereby eventually solving the larger problem in the most optimal manner. e.g. Can I nest two data structures to solve this subproblem and integrate it with the other functions I have to solve the entire problem at hand?
Coming up another level up the chain, we progress from advanced to an expert in the coding hierarchy. At this level, you have an increasingly high confidence in your coding abilities, have seen and solved a broad swath of problems to quickly choose the most optimal solution, understands the micro-optimizations that apply to even rarely used data structures, may have or can compete in state, national and international level programming competitions and potentially have written out impactful code within an organization or outside.
The topmost level of Maslow’s hierarchy is self-actualization where a human attains their full potential. I compare this with the coding level of “Guru” where you are one of the limited few in the world who develop new data structures and/or programming languages, conduct breakthrough research, and come up with solutions to unsolved problems, better/faster solutions to an otherwise considered a complicated and slow class of problems or have contributed extensively to the world’s most used code bases. A few living legends that I consider for this level (and even beyond) are Donald Knuth, James Gosling, Linus Torvalds, Dennis Ritchie, Ken Thompson, and the like.
Another noteworthy aspect in the above description is that each level can have sub levels as well where you move through them progressively. This progression from one level to the next takes non linear time as you move higher up in the hierarchy i.e. moving from basic to intermediate is relatively faster than moving from intermediate to advanced etc. Security engineers should go beyond the basic level and into the intermediate and advanced territory for optimal performance. After that if you do find the time, the need on the job, or just have a burning desire to go up the hierarchy, please by all means go forth and conquer.
All Things Pwned! 