As you can guess, I applied on Google Careers submitted my CV and details. A week later I got the following email:-
Now as mentioned earlier the reason why Google’s job description and required skills are generic is because of a number of questions they ask when they shortlist your CV. As can be seen in the above screenshots. Firstly they want you to rate your skills for different information security domains. In the interview they ask questions based on how you rated yourself. For example if you rate yourself 4/5 in Web and Browser security, they would probably ask you more on Web and Browser security in the interview.
I rated myself and answered the questions, Google interview on phone call has 2 parts, one is questions, other one is live coding where interviewer gives you a problem and you have to write clean and efficient code for it in any language of your choice. I had to wait for 3 weeks for the interview call, Finally got the interview call, the interviewer was from Google information security team based in Zurich. Few questions I remember are as follow:-
- As you know there are security issues (like Bufferoverflow) in image parsing libraries, you have to design a secure library that parses images, make sure there must be no security vulnerabilities in it, how will you design it?
- Walk me through designing Google’s single sign on for all google’s services that requires login, for example youtube?
- How do you protect against XSS without having to use encodings and javascript is allowed?
- Share your experience of fuzzing?
- What is origin in Same-origin-policy?
Lessons learned
After a week I got a call, that unfortunately they will not be moving forward with my application to next round. In hindsight I learned the following lessons:-
- I have to improve my programming skills to write clean and efficient code for living coding part of the interview, for this purpose I purchased subscription for https://leetcode.com , great platform to learn programming online
- Perspective in which the question is being asked is very important in an interview, It is quite possible that you know the answer but misunderstood the question, so don’t be afraid to ask counter questions to clarify the question further
- It is better to say I don’t know than to answer wrong
- They will dig down your answer further and will ask questions based on your answer, be confident on in-depth knowledge you have on the subject
- Need to improve my application security knowledge from defensive/secure design perspective
Resources to prepare
Following are the resources that will help you prepare for Google’s interview:-
- Cracking The code Interview , a very detailed well written book to help you with coding interviews.
- LeetCode and HackerRank for online programming.
- Web application hacker’s handbook, best resource for web application security.
Not sure if I understand the 3rd question “How do you protect against XSS without having to use encodings and javascript is allowed?”
Does it mean use of encoding function *and* javascript is not allowed? Or does it mean standard encoding functions are not allowed, but you need to encode it in javascript by yourself?