My 2 cents (read rants) on Information security
My 2 cents (read rants) on Information security

My experience with Google interview for information security engineer

google Interview questions
Couple of months back I saw a post on Linkedin about open roles for information security engineer at Google Zurich Switzerland office. I believe working for google (apart from perks they offer) is a privilege, you get to work with cutting edge technologies in a “comparatively stress free” environment (Check out Google’s offices you will know what I mean). Looking at the job responsibilities they seemed generic and short. Google keeps job responsibilities and required skills precise (Because of a reason explained later). This blog post is about my Google interview experience for information security engineer role.

As you can guess, I applied on Google Careers submitted my CV and details.  A week later I got the following email:-

Google Interview Information security engineer

Google interview questions information security engineer

Now as mentioned earlier the reason why Google’s job description and required skills are generic is because of a number of questions they ask when they shortlist your CV. As can be seen in the above screenshots. Firstly they want you to rate your skills for different information security domains. In the interview they ask questions based on how you rated yourself. For example if you rate yourself 4/5 in Web and Browser security, they would probably ask you more on Web and Browser security in the interview.

I rated myself and answered the questions, Google interview on phone call has 2 parts, one is questions, other one is live coding where interviewer gives you a problem and you have to write clean and efficient code for it in any language of your choice. I had to wait for 3 weeks for the interview call,  Finally got the interview call, the interviewer was from Google information security team based in Zurich. Few questions I remember are as follow:-

  1. As you know there are security issues (like Bufferoverflow) in image parsing libraries, you have to design a secure library that parses images, make sure there must be no security vulnerabilities in it, how will you design it?
  2. Walk me through designing Google’s single sign on for all google’s services that requires login, for example youtube?
  3. How do you protect against XSS without having to use encodings and javascript is allowed?
  4. Share your experience of fuzzing?
  5. What is origin in Same-origin-policy?

Lessons learned

After a week I got a call, that unfortunately they will not be moving forward with my application to next round. In hindsight I learned the following lessons:-

  1. I have to improve my programming skills to write clean and efficient code for living coding part of the interview, for this purpose I purchased subscription for , great platform to learn programming online
  2. Perspective in which the question is being asked is very important in an interview, It is quite possible that you know the answer but misunderstood the question, so don’t be afraid to ask counter questions to clarify the question further
  3. It is better to say I don’t know than to answer wrong
  4. They will dig down your answer further and will ask questions based on your answer, be confident on in-depth knowledge you have on the subject
  5. Need to improve my application security knowledge from defensive/secure design perspective

Resources to prepare

Following are the resources that will help you prepare for Google’s interview:-

  1. Cracking The code Interview , a very detailed well written book to help you with coding interviews.
  2. LeetCode  and HackerRank for online programming.
  3. Web application hacker’s handbook, best resource for web application security.
Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments

Not sure if I understand the 3rd question “How do you protect against XSS without having to use encodings and javascript is allowed?”
Does it mean use of encoding function *and* javascript is not allowed? Or does it mean standard encoding functions are not allowed, but you need to encode it in javascript by yourself?

Would love your thoughts, please comment.x