Top DevSecOps Engineer Interview Questions Interview Questions | CandidateToHR
Crack your DevSecOps interview with 50+ real questions covering CI/CD security, Kubernetes hardening, secrets management, SAST/DAST, and compliance automation.
CandidateToHR provides highly optimized, professional tech career resources including: Resume Examples, Tech Career Roadmaps, Interview Prep questions and answers, and Career Guides. Build, customize, and analyze your tech career credentials completely free.
Prepare for your DevSecOps interview. Covers 55 real-world questions on Docker security, Kubernetes CIS benchmarks, Vault management, and secure pipelines.
Top Interview Questions & Answers
Beginner Interview Questions
- Q: What is DevSecOps and why is it important?
- A: DevSecOps is the practice of integrating security safety measures and compliance checks directly into the DevOps software development lifecycle (SDLC) from the very beginning. Instead of treating security as a final review gate before deployment, DevSecOps 'shifts security left' by automating scanning, compliance, and vulnerability checks inside CI/CD pipelines, enabling organizations to deliver secure software rapidly.
- Q: What does it mean to 'shift security left'?
- A: To 'shift security left' means moving security checks earlier in the software development lifecycle. Instead of auditing code or systems right before deployment (on the right), security is integrated during the planning, writing, and build phases (on the left). This makes vulnerabilities cheaper and faster to remediate.
- Q: Explain the difference between SAST and DAST.
- A: SAST (Static Application Security Testing) analyzes source code, binaries, or byte code for vulnerabilities without executing the code. It is run early in the pipeline. DAST (Dynamic Application Security Testing) analyzes a running application from the outside, simulating an attacker probing APIs or frontends. DAST requires a deployed staging environment and is run later in the pipeline.
- Q: What is Software Composition Analysis (SCA)?
- A: SCA is the process of scanning an application's open-source dependencies (e.g. npm packages, python libraries, NuGet packages) to identify known security vulnerabilities (CVEs) and license compliance issues. Tools like Snyk, Trivy, and OWASP Dependency-Check are commonly used.
- Q: What is a CVE?
- A: CVE stands for Common Vulnerabilities and Exposures. It is a publicly documented database of cybersecurity vulnerabilities. Each vulnerability is assigned a unique identifier (e.g., CVE-2021-44228 for Log4j) and a CVSS (Common Vulnerability Scoring System) severity score ranging from 0.0 to 10.0.
- Q: What is secrets management and why is it crucial?
- A: Secrets management is the practice of securing and managing digital credentials such as API keys, passwords, certificates, and SSH keys. It is crucial because storing secrets in plain text or committing them to git repositories leads to major security leaks. Dedicated systems like HashiCorp Vault or AWS Secrets Manager encrypt secrets and manage access control.
- Q: What is Infrastructure as Code (IaC) security scanning?
- A: IaC security scanning involves analyzing configurations (like Terraform modules, CloudFormation templates, or Kubernetes manifests) for security misconfigurations before they are deployed. Tools like Checkov, tfsec, and Terrascan identify issues like publicly open S3 buckets, over-privileged IAM roles, or unencrypted storage volumes.
- Q: What is the purpose of container image scanning?
- A: Container image scanning inspects the layers of a container image (e.g. Docker images) for vulnerabilities in operating system packages, libraries, and binaries. It ensures that base images do not contain active exploits (CVEs) before they are deployed to production clusters.
- Q: Explain the concept of 'Least Privilege'.
- A: The Principle of Least Privilege (PoLP) states that a user, process, or system should only possess the minimum access rights and permissions necessary to perform its specific task, and no more. This limits the blast radius if an account is compromised.
- Q: What is Threat Modeling?
- A: Threat Modeling is a structured process to identify, prioritize, and mitigate potential security threats and vulnerabilities in an application or system architecture. It is typically conducted during the design phase using frameworks like STRIDE.
- Q: What is a pipeline security gate?
- A: A security gate is a policy enforced in a CI/CD pipeline that halts the build or deployment if certain security criteria are not met. For example, failing a build if a container scan detects any 'Critical' or 'High' severity vulnerabilities.
- Q: What is OWASP?
- A: OWASP (Open Web Application Security Project) is a non-profit foundation focused on software security. It publishes the 'OWASP Top 10', a list of the ten most critical security risks for web applications, which serves as a standard for secure coding.
- Q: What is CI/CD and how does security fit in?
- A: CI/CD stands for Continuous Integration and Continuous Deployment. Security fits in by integrating automated checks at each stage: SAST and SCA during integration (CI), IaC scanning and container scanning during build, and DAST and compliance verification during deployment (CD).
- Q: What is a false positive in security scanning?
- A: A false positive is a scan result that incorrectly flags a vulnerability that is not actually present or is not exploitable in the application's context. Managing false positives involves triaging, documenting, and adding ignore-rules.
- Q: What is GitOps?
- A: GitOps is an operational framework that takes DevOps best practices (like version control, collaboration, compliance, and CI/CD) and applies them to infrastructure automation. In GitOps, Git is the single source of truth for the desired system state.
Intermediate Interview Questions
- Q: How would you prevent developers from committing hardcoded secrets to Git?
- A: I would implement a multi-layered defense: 1) Deploy pre-commit hooks (using tools like `pre-commit` and `gitleaks` or `trufflehog`) to scan code locally before committing. 2) Configure server-side Git hooks or pull-request scanners to reject pushes containing secrets. 3) Set up recurring centralized pipeline secrets scans. 4) Train developers to use environment variables and secrets managers during local development.
- Q: What is Open Policy Agent (OPA) and how is it used in DevSecOps?
- A: OPA is a general-purpose, open-source policy engine that enables policy-as-code. In DevSecOps, OPA is used to write and enforce policies in Rego language across Kubernetes (using Gatekeeper), Terraform (validating security configurations before applying), and API gateways (enforcing fine-grained authorization policies).
- Q: Explain the concept of container hardening.
- A: Container hardening is the process of securing a container image and runtime environment. Steps include: 1) Running containers as non-root users (`USER 1000`). 2) Using minimal base images like Distroless or Alpine. 3) Removing unnecessary binaries (like curl, bash, compilers). 4) Making the root filesystem read-only. 5) Dropping unused Linux capabilities.
- Q: How does HashiCorp Vault secure dynamic database credentials?
- A: Vault uses its Database Secrets Engine to generate dynamic database credentials on-demand. When an application requests access, Vault logs into the database, creates a unique, short-lived user account with limited permissions, and returns it to the app. Vault automatically deletes the user account once the lease expires.
- Q: What are Kubernetes CIS Benchmarks?
- A: Kubernetes CIS Benchmarks are consensus-based security guidelines developed by the Center for Internet Security (CIS) for hardening Kubernetes master nodes, worker nodes, and control plane components. Tools like kube-bench automate checking clusters against these benchmarks.
- Q: What is Software Bill of Materials (SBOM) and why is it popular in 2026?
- A: An SBOM is a nested inventory or list of ingredients for software, detailing all libraries, dependencies, versions, and licenses. It is popular because supply-chain attacks have risen. Governments and enterprise clients require SBOM compliance (formats like SPDX or CycloneDX) to verify package integrity.
- Q: How would you secure a Kubernetes ingress controller?
- A: To secure an ingress: 1) Enforce HTTPS using TLS certificates (managed by cert-manager). 2) Enable Web Application Firewall (WAF) integration (e.g. ModSecurity). 3) Apply rate limiting to prevent DDoS. 4) Use network policies to restrict access only to designated pods. 5) Keep the ingress controller updated to patch CVEs.
- Q: What is mutual TLS (mTLS) and how does a service mesh help?
- A: mTLS is a process where both the client and the server verify each other's cryptographic certificates before establishing an encrypted tunnel. A Service Mesh (like Istio or Linkerd) automatically injects sidecar proxies next to application pods, handling mTLS, certificate rotation, and secure pod-to-pod communication without modifying application code.
- Q: What is the role of a WAF (Web Application Firewall) in a DevSecOps architecture?
- A: A WAF monitors, filters, and blocks HTTP traffic to and from a web application. Unlike standard network firewalls, WAFs understand application-layer protocols, protecting against web exploits like SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations (OWASP Top 10).
- Q: Explain Zero Trust Network Architecture.
- A: Zero Trust is a security framework based on the premise: 'never trust, always verify.' It assumes threats exist inside and outside the network. It requires strict identity verification, authentication, authorization, and continuous validation of every user and device requesting access to resources, regardless of their network location.
- Q: What is the difference between AWS Security Group and AWS Network ACL?
- A: AWS Security Groups are stateful (automatically allow return traffic), apply at the instance/resource level, and only support allow-rules. Network ACLs (NACLs) are stateless (must explicitly define inbound and outbound rules), apply at the subnet level, and support both allow and deny-rules.
- Q: How do you securely distribute secrets to Kubernetes pods?
- A: I would avoid raw environment variables. Instead: 1) Use Kubernetes Secrets mapped to files via volumes. 2) Integrate secrets injection from external vaults using the SecretProviderClass (CSI Secrets Store Driver) or Vault Agent Injectors, which mounts secrets into a shared memory volume (`tmpfs`) that disappears on pod deletion.
- Q: What is drift detection in infrastructure management?
- A: Drift detection is the process of identifying differences between the desired infrastructure state defined in version-controlled IaC code (e.g. Terraform) and the actual live state in the cloud provider. Drift detection tools (like Terraform plan, driftctl, or cloud providers' native tools) flag manual changes that break compliance.
- Q: Explain the concept of 'Policy as Code'.
- A: Policy as Code is the practice of writing compliance, security, and operational policies in a high-level configuration language (like Rego or YAML) that can be version-controlled, reviewed, tested, and automated through pipelines, replacing manual checklists and wikis.
- Q: How would you run a SAST scan in a GitLab CI pipeline?
- A: I would add a test stage job in the `.gitlab-ci.yml` file. I would use a Docker image containing a SAST tool (like Semgrep or SonarScanner), execute the CLI tool against the source directory, output the results as an artifact (e.g., JSON/JUnit format), and configure pipeline rules to fail the merge request if high-risk vulnerabilities are found.
Advanced Interview Questions
- Q: How do you secure container runtimes against container escape vulnerabilities?
- A: To protect against escapes: 1) Avoid running containers as root and drop standard Linux capabilities. 2) Implement security profiles like AppArmor or SELinux to restrict file/network access. 3) Enforce syscall filtering using seccomp profiles to block dangerous system calls (like `ptrace` or `sys_chroot`). 4) Use sandboxed container runtimes like gVisor or Kata Containers that run containers in isolated kernels rather than sharing the host kernel directly.
- Q: Describe how to secure the software supply chain using Sigstore and Cosign.
- A: Securing the supply chain involves signing artifacts and verifying signatures. During build, I use Cosign (part of Sigstore) to sign container images using an ephemeral key pair tied to the build pipeline's OIDC identity. The signature is pushed to the OCI registry. In Kubernetes, I deploy an admission controller (like Kyverno or Gatekeeper) that validates container image signatures against our trusted OIDC publisher before allowing deployments.
- Q: How would you design a pipeline that runs DAST without slowing down developers?
- A: DAST scans can take hours, which slows down standard CI loops. To solve this: 1) Run light, targeted active DAST scans on pull requests (scanning only modified endpoints). 2) Run deep, full-scale DAST scans asynchronously (e.g., nightly or post-merge to main). 3) Use passive DAST tools that intercept HTTP traffic in staging environments without active payloads, raising security tickets asynchronously.
- Q: Explain how OIDC (OpenID Connect) improves cloud CI/CD pipeline security.
- A: OIDC eliminates the need to store long-lived cloud credentials (like AWS IAM Access Keys) inside CI/CD providers (like GitHub Actions). Instead, the cloud provider trusts the CI/CD provider's identity issuer. During pipeline execution, the runner requests a temporary, cryptographic JWT from the OIDC provider and exchanges it for a short-lived cloud IAM session, reducing credential theft risks to zero.
- Q: What is DevSecOps governance and how do you implement security exemptions?
- A: Governance defines the policies, risk tolerances, and exception workflows. Exemptions must not be manual. I implement them by writing policy exemption files in Git. The file details the CVE, the justification, the expiration date, and the compensating controls. The pre-publish or deployment policy engine parses this YAML/JSON config, checks if the exemption is active, and overrides the build gate, creating an auditable history.
- Q: How would you configure network isolation for sensitive workloads in Kubernetes?
- A: I would implement Network Policies using a CNI plugin like Calico or Cilium. First, I apply a default-deny-all policy for all ingress and egress in the namespace. Second, I selectively write rules that allow pods to communicate only with specified microservices or databases based on labels. Third, I restrict egress traffic, blocking outbound internet connections from internal application pods unless routed through a secure egress proxy.
- Q: What is eBPF and how does it revolutionize runtime security monitoring in Kubernetes?
- A: eBPF (Extended Berkeley Packet Filter) allows running sandboxed programs inside the Linux kernel without changing kernel source code or loading modules. In security, tools like Cilium Tetragon or Falco use eBPF to monitor system calls, process executions, namespace changes, and network sockets in real-time. Because it runs in the kernel, it cannot be bypassed or disabled by compromised user-space containers.
- Q: How do you prevent DNS spoofing and MITM attacks inside a Kubernetes cluster?
- A: To secure Kubernetes DNS: 1) Enable CoreDNS DNSSEC to cryptographically sign DNS records and prevent cache poisoning. 2) Configure Network Policies to restrict DNS queries to CoreDNS pods. 3) Enable NodeLocal DNSCache to optimize traffic and reduce query load. 4) Use mTLS via a service mesh to ensure all pod-to-pod communication is encrypted and authenticated.
- Q: Explain how to implement Secure Boot and Remote Attestation for cloud VMs.
- A: Secure Boot ensures that only trusted, cryptographically signed bootloaders and OS kernels are loaded during VM boot. Remote Attestation uses a Virtual Trusted Platform Module (vTPM) to measure the boot sequence (hashing firmware, bootloader, kernel). These measurements are sent to an attestation server which verifies them against known healthy hashes before granting access tokens or decryption keys.
- Q: How would you handle a zero-day vulnerability in a core base image across 500 microservices?
- A: I would execute our automated remediation pipeline: 1) Update the base image in our central repository with the patch. 2) Trigger a rebuild script that updates the base image tags in all repositories. 3) Run automated test suites. 4) If tests pass, build and push signed containers. 5) Deploy via GitOps (e.g. ArgoCD), which automatically rolls out the patched pods. 6) Use runtime security tools to monitor unpatched pods in the interim.
- Q: Explain the difference between Symmetric and Asymmetric encryption, and their role in KMS.
- A: Symmetric encryption uses the same key for encryption and decryption (fast, used for bulk data). Asymmetric encryption uses a public-private key pair (slower, used for key exchange/signing). A Key Management Service (KMS) uses Envelope Encryption: KMS stores an asymmetric master key which decrypts symmetric Data Encryption Keys (DEKs) that encrypt the database volumes.
- Q: How do you audit and restrict Kubernetes API Server access?
- A: To secure the API server: 1) Enable Kubernetes API Auditing and ship logs to a centralized SIEM. 2) Disable public access, allowing requests only via VPN or Bastion hosts. 3) Use RBAC with strict auditing on cluster-admin roles. 4) Turn on Node Restriction admission controllers to prevent compromised kubelets from modifying objects outside their node.
- Q: How would you secure a serverless CI/CD runner architecture?
- A: For ephemeral runners (e.g. AWS Fargate runners): 1) Run each job in a fresh, isolated container. 2) Grant execution roles using OIDC with minimal permissions. 3) Restrict runner networks using private subnets without public IPs. 4) Set up aggressive timeouts to prevent orphaned running instances. 5) Encrypt local runner storage volumes and destroy them immediately after the job finishes.
- Q: Explain how to secure Kafka message queues in a microservices environment.
- A: To secure Kafka: 1) Enable TLS for client-to-broker and broker-to-broker encryption. 2) Enforce SASL/SCRAM or mTLS authentication for all clients. 3) Write Kafka ACLs (Access Control Lists) to restrict which service accounts can write to or read from specific topics. 4) Use field-level encryption for sensitive payloads before publishing to topics.
- Q: What is Git repo poisoning and how do you protect against it?
- A: Repo poisoning occurs when an attacker commits malicious code or dependencies directly to a git repository. Protection measures: 1) Require signed commits (PGP/SSH signatures) to verify author identity. 2) Implement branch protection rules requiring at least 2 code reviews and passing CI checks. 3) Enable dependency scanning (SCA) to detect compromised package versions.
Frequently Asked Questions
What is the focus of these DevSecOps interview questions?
These questions focus on automated security scanning, container hardening, Secrets Management, Kubernetes security, and Cloud compliance. To see how these skills are presented to recruiters, check out our [DevSecOps Engineer Resume Examples](/resume-examples/devsecops-engineer) and [DevOps Engineer Resume Examples](/resume-examples/devops-engineer).
How many interview questions are included in this guide?
This guide contains 55 detailed technical and scenario-based interview questions.
Are there coding questions included in the interview guide?
Yes, several questions address writing secure pipeline scripts, parsing security reports in Python, and scripting configurations.
Is Kubernetes security covered in this guide?
Yes, there are multiple questions detailing CKS objectives, network policies, seccomp filters, and ingress security. You can prepare for broader container automation concepts by studying our [Kubernetes Interview Questions](/interview-questions/kubernetes) guide.
What compliance standards are referenced in the questions?
The questions cover standard corporate compliance frameworks including SOC2, ISO 27001, HIPAA, and PCI-DSS.
Should I study DevOps questions as well?
Yes. DevSecOps is built on top of DevOps principles. We highly recommend reviewing our general [DevOps Interview Questions](/interview-questions/devops) guide as a baseline.
What tools are mentioned in these solutions?
We reference standard DevSecOps tooling including HashiCorp Vault, Trivy, Checkov, SonarQube, OPA, Semgrep, and Kubernetes admission controllers.
How should I structure my answers to scenario questions?
Use the STAR method: explain the Situation, the Task at hand, the automated Action you would perform, and the measurable Result (risk reduction).
Can I use these questions to prepare for certifications?
Yes, many questions align directly with concepts tested in CKS (Certified Kubernetes Security Specialist) and AWS Certified Security - Specialty.
How often are these questions updated?
We review and update our technical guides quarterly. For details on how to build these automated systems from scratch, read our [How to Become a DevSecOps Engineer Career Guide](/career-guides/how-to-become-devsecops-engineer). To check current earnings rates, review the [DevSecOps Engineer Salary Guide 2026](/salary-guides/devsecops-engineer-salary-guide-2026), and to plan your study sessions, view our [DevSecOps Engineer Roadmap](/roadmaps/devsecops-engineer).
Career Navigation Directory