Interview › Security & DevSecOps
How would you remediate a critical CVE in a third-party Java dependency (as you did at Intuit)? [Intermediate]
Answer
For a critical CVE in a third-party Java dependency, I would identify whether it is direct or transitive, confirm exploitability in our service, upgrade the dependency or parent BOM, run regression tests, rebuild the artifact/image, deploy safely, and verify with SCA and runtime scans.
Technical explanation
The first step is dependency mapping with mvn dependency:tree or Gradle dependencies to find the exact path that introduced the vulnerable jar.
If a direct upgrade is safe, pin the fixed version. If transitive, upgrade the parent library/BOM or use dependency management with care.
Verification should include build success, unit/integration tests, SBOM regeneration, vulnerability rescan, and production rollout monitoring.
Hands-on example
Hands-on:
mvn dependency:tree -Dincludes=org.example:vulnerable-lib
# Update pom.xml dependencyManagement to a fixed version
mvn -B clean verify
syft packages dir:. -o cyclonedx-json > sbom.json
trivy fs --severity CRITICAL,HIGH .
Then deploy canary, monitor errors/latency, and close the ticket only after the scanner no longer reports the CVE.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]