DevSecOps Interviews: Security-First Infrastructure & Compliance 2026

By /

DevSecOps interviews have gotten harder. That’s partly because the title itself is newer and there’s less consensus on what it means, so interviewers tend to probe more widely. A DevOps interview has a fairly predictable structure. A DevSecOps interview can go from threat modeling to RBAC to SOC 2 requirements in the same session.

These 35 questions cover the breadth I’ve seen across real interview loops. I’ve grouped them into five areas and added notes on expected depth where the question tends to get shallow answers.

Shift-left security and the CI/CD pipeline (questions 1-9)

  1. What does “shift-left security” mean in practice? Give a concrete example of something you’d move earlier in the pipeline.
  2. What is SAST and how does it differ from DAST? When does each run in a typical pipeline?
  3. What is IAST, and how does it differ from SAST and DAST in terms of where it runs?
  4. How do you scan container images for vulnerabilities in CI before pushing to a registry?
  5. How do you manage secrets in a CI/CD pipeline without storing them in the repo?
  6. What is OIDC-based authentication for CI pipelines, and why is it better than long-lived credentials?
  7. How would you enforce that no image with a critical CVE can be deployed to production?
  8. What is software composition analysis (SCA) and what problem does it address that SAST doesn’t?
  9. Describe a pipeline gate you’ve implemented for security that caused real friction with developers. How did you handle it?

The last question is a behavioral probe inside a technical section. It’s asking whether you’ve actually worked with developers who pushed back on security gates. A good answer here has a specific story, not a generic one. “We added a mandatory Snyk scan that was blocking merges for false positives, so I worked with the team to configure a .snyk ignore file and an exception workflow” is far more credible than “I communicated the importance of security.”

Container and Kubernetes security (questions 10-18)

  1. What is a rootless container and why does it matter?
  2. What are Pod Security Standards (previously Pod Security Policies) in Kubernetes?
  3. How do you use Kubernetes RBAC to implement least-privilege access for service accounts?
  4. What is a NetworkPolicy in Kubernetes and how does it differ from a firewall rule?
  5. How do you use securityContext in a pod spec to harden a workload?
  6. What is runtime security monitoring in containers, and what tools exist for it?
  7. How do you scan a running cluster for misconfigurations, not just images?
  8. What is the role of admission controllers in Kubernetes security?
  9. How would you prevent a pod from mounting the host filesystem?

Note on depth: Question 17 trips up a lot of candidates. Scanning images covers known CVEs in software packages. Scanning the cluster covers misconfigurations: RBAC that’s too permissive, pods running as root, missing resource limits, containers with host network access. Tools like Trivy, Kubescape, and Polaris do this. Knowing the difference matters because interviewers are checking whether you understand that vulnerabilities and misconfigurations are separate risk surfaces.

Infrastructure security and IaC (questions 19-26)

  1. How do you scan Terraform code for security misconfigurations before applying?
  2. What is tfsec or Checkov, and how do you integrate them into a pipeline?
  3. How do you enforce cloud IAM least-privilege in an automated way?
  4. What is the difference between an IAM role and an IAM user in AWS, and which should you use for machine access?
  5. How do you manage API gateway security for microservices?
  6. What is network segmentation and how do you implement it in a cloud VPC?
  7. How do you detect and alert on unauthorized changes to production infrastructure?
  8. What is immutable infrastructure and how does it improve security posture?

The Stack Overflow Developer Survey 2024 shows Terraform is the dominant IaC tool. Expect at least two or three IaC security questions in any serious DevSecOps loop.

Compliance and governance (questions 27-31)

  1. What is SOC 2 Type II and how does it differ from Type I?
  2. How do you implement continuous compliance for PCI-DSS in a cloud environment?
  3. What GDPR obligations affect how you store and process logs that contain personal data?
  4. How do you generate evidence for an audit of your CI/CD pipeline?
  5. What is a compliance-as-code approach and what tools support it?

I’ll be honest: the compliance questions are the ones I’ve seen candidates most frequently wing. If you haven’t worked in a regulated environment, the gap shows quickly. The minimum you need is a clear understanding of what each framework actually requires (not just a vague statement that “SOC 2 is about trust”), and some familiarity with how automated tooling (OPA, cloud-native compliance scanners) can replace manual checklists. The BLS projects information security analyst roles growing 32% through 2032, faster than almost any other tech category. Compliance is a meaningful share of that work.

Advanced topics: threat modeling, chaos, and SOAR (questions 32-35)

  1. Walk me through how you’d apply the STRIDE threat model to a microservices architecture.
  2. What is security chaos engineering and how does it differ from reliability chaos engineering?
  3. What is a SOAR platform and when does it make sense to implement one?
  4. How do you handle multi-cloud security consistently when AWS and GCP have different IAM models?

Question 32, STRIDE, is where you see a real split between candidates with security backgrounds and those who migrated from pure DevOps. STRIDE breaks threats into Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. Walking through a microservices architecture with that lens means identifying which components are most exposed to each threat type and what controls exist or should exist. An interviewer asking this question wants to see you think, not recite.

Question 33 comes up more at companies that have reached a certain level of security maturity. Security chaos engineering means deliberately injecting security failures (revoking credentials, blocking a WAF rule, simulating a lateral movement path) to test detection and response. Most organizations aren’t there yet. If you haven’t worked with this, it’s fine to say so; just demonstrate you understand the concept and why it would be valuable.

Using an AI interview tool like Craqly during live DevSecOps practice interviews can help you get comfortable narrating your security reasoning in real time, which is often harder than the underlying knowledge. The gap between knowing a concept and being able to explain it under a bit of pressure is real, and it’s mostly a practice problem.

What’s the hardest DevSecOps question you’ve faced in an actual interview?

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top