Top 35 Secure Coding Interview Questions & Answers 2025

Key principles: (1) Defense in depth (multiple layers), (2) Least privilege, (3) Fail securely (default deny), (4) Don't trust input (validate everything), (5) Keep it simple (complexity breeds bugs), (6) Fix issues properly (not just symptoms), (7) Security by design (not afterthought). Apply throughout SDLC. Train developers on secure practices.

Validation approach: whitelist over blacklist (define what's allowed). Validate: type, length, format, range. Where: server-side (required), client-side (UX only). Techniques: regex patterns, schema validation (JSON Schema, Joi), type casting. Sanitize for output context (encoding). Consider: canonical form (normalize Unicode), file uploads (type, size, scan).

Threat modeling: systematic identification of security threats. Process: (1) Define scope, (2) Create architecture diagram, (3) Identify threats (STRIDE: Spoofing, Tampering, Repudiation, Information Disclosure, DoS, Elevation of Privilege), (4) Rate risks, (5) Plan mitigations. Do early in design, update throughout. Tools: Microsoft Threat Modeling Tool, OWASP Threat Dragon.

Secure error handling: (1) Don't expose stack traces/internal details to users, (2) Log detailed errors server-side, (3) Return generic messages to clients, (4) Use proper HTTP status codes, (5) Don't reveal system info (database type, paths), (6) Fail securely (deny access on error). Implement centralized error handling. Monitor error patterns for attacks.

Testing types: SAST (static analysis, code review), DAST (dynamic testing, running app), IAST (combined, instrumented), SCA (dependency scanning), Penetration testing (manual), Security code review. Integrate: SAST in IDE/PR, SCA in CI, DAST in staging, pentest before major releases. Automate where possible, fix issues before deployment.