Interview › Security & DevSecOps
What is mutual TLS, and where would you use it? [Advanced]
Answer
Mutual TLS means both client and server present certificates and authenticate each other. I use it for service-to-service communication, internal APIs, high-trust admin endpoints, and zero-trust environments where server-only TLS is not enough.
Technical explanation
Normal TLS authenticates the server to the client; mTLS authenticates both directions.
mTLS gives strong workload identity when certificates are issued and rotated safely.
A service mesh such as Istio can automate certificate issuance, rotation, and policy enforcement for mTLS between pods.
Hands-on example
Example: enable Istio STRICT mTLS for the payments namespace. Calls from checkout to payments carry a client certificate representing the checkout service account. Payments accepts only authorized identities and rejects plaintext or unknown workloads.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]