Hi all,

Community feedback means a lot to me, especially when I'm faced with niche uncertainties.

I'm currently in an interview process but can't shake the feeling that the questions being asked are far and above what is typical or necessary. This is not for a senior role, and I was allotted a 4-hour window to complete all prompts. Here they are:

=== BEGIN ===

Question 1:
How does an effective Security program benefit ? How do you measure success?

Scenario 1:
Your team has been tasked with migrating a handful of production API services, databases and front-end applications to Elastic Kubernetes Service (EKS) in AWS. You’re specifically in charge of identifying and remediating security vulnerabilities during this transition process.

1. How would you begin to break down the problem? What questions do you need to get answered? If you had to create a migration and security plan with just this info, how would you approach it and what would the plan look like?

Let's say we plan on migrating one of our legacy backend APIs to allow for High Availability. The setup is a single instance/server that is running a app, database, and a messaging queue system on our current cloud platform.

1. Define what you would propose we do to meet the goal of High Availability after migrating it to EKS. What tools would you use?

2. How would you handle security and what would be your must have items?

3. How would you handle logging? Security monitoring?

4. How would the configuration of the instances/services and user management be managed?

Assuming things went great with the single API migration above you are now asked to provide a plan for the following:

1. What would be the ideal way to plan to eventually provision all of our infrastructure? What are some key things that you would think about and plan for?
2. How can we incorporate security into our CI/CD processes given this new environment?
3. What would you propose if you were asked to standardize our production and non-production environments?

Scenario 2:
An engineering team wants to release a new application into our different environments and production in the coming weeks.

How do you work with that team to provision the application and resources for each environment?
How do you verify their work is secure?
What tooling would you build to allow greater autonomy and automation for future application deployments in the future?

=== END ===

Is it possible that this organization is using responses from myself and other security engineers to make decisions about their environment? No NDAs have been signed; any feedback is welcome and appreciated.