Interview › Security & DevSecOps
How do you prove to an auditor that security controls are enforced continuously, not just documented? [Advanced]
Answer
To prove continuous enforcement to an auditor, I provide automated evidence from the systems that enforce controls: CI logs, policy-as-code results, admission-controller decisions, cloud configuration checks, IAM reviews, vulnerability SLA dashboards, audit logs, and exception records. The evidence should be timestamped, complete, and tied to control objectives.
Technical explanation
Auditors need more than policy documents; they need proof that controls operated during the audit period.
Evidence should show both preventive controls, such as blocked deployments, and detective controls, such as alerts and reviews.
Exceptions should be documented with approval, scope, expiration, compensating controls, and review history.
Hands-on example
Evidence pack: export monthly reports showing 100 percent production deployments passed signature verification, all prod namespaces enforce restricted Pod Security, CloudTrail remained enabled, critical CVEs met SLA, access reviews completed, and all policy exceptions had valid owners and expiry dates.
Source Notes
SonarQube quality gates: https://docs.sonarsource.com/sonarqube-server/quality-standards-administration/managing-quality-gates/introduction-to-quality-gates
SonarQube Security Hotspots: https://docs.sonarsource.com/sonarqube-server/user-guide/security-hotspots
SonarQube Clean as You Code: https://docs.sonarsource.com/sonarqube-server/user-guide/clean-as-you-code
CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
FIRST EPSS: https://www.first.org/epss/
FIRST CVSS: https://www.first.org/cvss/
SLSA build requirements: https://slsa.dev/spec/v1.2/build-requirements
Sigstore cosign documentation: https://docs.sigstore.dev/cosign/overview/
Open Policy Agent Kubernetes admission control: https://www.openpolicyagent.org/docs/kubernetes
Kubernetes Pod Security Standards: https://kubernetes.io/docs/concepts/security/pod-security-standards/
Kubernetes Pod Security Admission: https://kubernetes.io/docs/concepts/security/pod-security-admission/
Kubernetes Network Policies: https://kubernetes.io/docs/concepts/services-networking/network-policies/
HashiCorp Vault database secrets engine: https://developer.hashicorp.com/vault/docs/secrets/databases
HashiCorp Vault static and dynamic secrets tutorial: https://developer.hashicorp.com/vault/tutorials/get-started/understand-static-dynamic-secrets
cert-manager documentation: https://cert-manager.io/docs/
OWASP Top 10: https://owasp.org/www-project-top-ten/
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]