Infrastructure Security and Compliance Questions

Designing, implementing, and operating security and compliance controls for infrastructure and delivery pipelines at scale. Topics include identity and access management, authentication and authorization patterns, role based access control and least privilege, secrets management and rotation, encryption for data at rest and in transit, network segmentation and microsegmentation, zero trust architecture, audit logging and retention, vulnerability scanning and patch and remediation workflows, endpoint protection, threat detection and monitoring, threat modeling and risk assessment, incident detection and response planning and runbooks, software supply chain security including artifact signing and dependency scanning and provenance, policy as code and automated security gates in continuous integration and continuous delivery pipelines, automated testing and validation of controls, and the trade offs between security controls and developer velocity. Also covers embedding and operationalizing compliance requirements from common regulatory frameworks and standards such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, Service Organization Controls two, the Payment Card Industry Data Security Standard, and International Organization for Standardization two seven zero zero one, and how those requirements influence architecture, controls, automation, monitoring, and auditability as systems scale globally.

HardTechnical

70 practiced

Design artifact signing and provenance verification across a multi-stage build and deployment pipeline that consumes third-party dependencies. Specify where to sign artifacts (build step), how and where to store signatures and provenance attestations, how verification occurs at deployment time, handling signature revocation, and developer workflows to keep the process automatic and low-friction.

MediumTechnical

63 practiced

Explain zero trust principles and outline an incremental migration plan for a mid-size enterprise with legacy applications. Include identity improvements (MFA, device posture), network changes (microsegmentation), service authentication, and metrics you would use to measure progress and security posture.

EasyTechnical

60 practiced

Explain the differences between automated vulnerability scanning and manual penetration testing. Discuss typical cadence, common tools (e.g., Nessus, Qualys, Burp Suite), how to prioritize findings, and how results should feed into organizational patching and remediation workflows.

HardTechnical

66 practiced

A breach started from a compromised developer workstation and resulted in source code exfiltration and exposure of customer test data. Analyze systemic control failures (endpoint protection, credential hygiene, MFA coverage, logging gaps, least-privilege violations) and propose a prioritized 90-day remediation roadmap with concrete milestones that will provide demonstrable SOC2 evidence of improvement.

HardTechnical

70 practiced

You are responsible for eliminating 'secrets sprawl' across thousands of repositories, CI pipelines, and developer machines, including legacy binaries with embedded credentials. Propose a pragmatic migration plan that covers discovery, risk classification, ingestion into a central secrets store, access model and enforcement, rollout phases, metrics for success, and handling uncooperative teams or non-rotatable secrets.

Unlock Full Question Bank

Get access to hundreds of Infrastructure Security and Compliance interview questions and detailed answers.

Join thousands of developers preparing for their dream job.