Interview › Security & DevSecOps
What is a toxic combination (attack path) in Wiz, and why prioritise it? [Basic]
Answer
A toxic combination, or attack path, is a set of individually related weaknesses that together create a high-risk route to compromise. It should be prioritized because attackers chain weaknesses; they rarely rely on a single isolated finding.
Technical explanation
Examples include internet exposure plus critical CVE plus privileged identity, or leaked secret plus broad cloud permissions plus sensitive data access.
Attack-path prioritization is more useful than flat severity lists because it includes exploitability, reachability, blast radius, and business impact.
Fixing one link in the chain can materially reduce risk even before all findings are remediated.
Hands-on example
Hands-on: if a public EC2 instance has a critical RCE and an IAM role that can read production secrets, immediate actions are to restrict ingress, rotate any exposed credentials, patch or replace the instance, and reduce the role policy to least privilege.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]