Security Engineering & Operations Topics
Operational security practices, secure systems implementation, threat modeling, penetration testing, vulnerability assessment, and security operations at production scale. Covers network security, endpoint security, secure architecture implementation, incident response mechanics, and security automation. Distinct from Security & Compliance (which addresses governance, compliance frameworks, and policy) and from Security Research & Innovation (which addresses novel techniques and research contributions).
Security and Data Privacy
Covers design and operational practices for protecting systems and user data. Candidates should be able to explain authentication and authorization models including token based approaches and role based access control, encryption at rest and encryption in transit, key management and secrets rotation, secure application programming interface design and input validation, audit logging and security monitoring, data governance and privacy controls, compliance with data protection regulations such as General Data Protection Regulation and California Consumer Privacy Act, data minimization and anonymization techniques, threat modeling and vulnerability management, incident response and breach notification procedures, and trade offs between security, performance and developer productivity.
Mobile App Security and Authentication
Platform specific security practices for mobile applications and clients. Topics include secure storage of credentials and tokens, protecting secrets on device, certificate pinning and secure transport, secure use of OAuth and token refresh flows on mobile, defending against reverse engineering and tampering, permission models and least privilege for mobile apps, privacy and compliance considerations, secure API usage patterns from mobile clients, and strategies for mitigating mobile specific attack vectors.
Mobile Security Fundamentals
Core mobile security practices for protecting user data and application integrity on devices and in transit. Candidates should explain secure credential storage using platform key stores such as the iOS keychain and the Android keystore, secure transport using hypertext transfer protocol over TLS and certificate pinning, safe storage and encryption for data at rest, secure handling of authentication tokens and refresh logic, input validation and safe deserialization, and principles for avoiding sensitive data leakage in logs or debug output. Include reasoning about third party dependency risk, threat modeling for common mobile attack vectors, tamper detection and obfuscation where appropriate, and operational practices such as key rotation and periodic security testing.
Code Obfuscation and Reverse Engineering
Techniques, trade offs, and platform specific practices for protecting mobile application logic and binaries from reverse engineering and tampering. Candidates should understand code obfuscation approaches such as symbol stripping, control flow obfuscation, string and resource encryption, native library protection and binary packing, as well as runtime anti tampering and anti debugging measures. Coverage includes platform release practices such as Android release tooling and application signing, ProGuard and R8 style shrinkers, iOS code signing and hardened runtime configuration, secure key handling for client secrets, and approaches for protecting embedded native code. Evaluate how protections affect crash reporting and diagnostics, testing strategies to validate protections, and the balance between protection, performance overhead, maintainability, and recoverability during incidents.