Interview › Security & DevSecOps
What is the difference between a vulnerability, a threat, and a risk? [Advanced]
Answer
A vulnerability is a weakness, a threat is a potential actor or event that could exploit a weakness, and risk is the combination of likelihood and impact if that exploitation happens. Risk requires business context; vulnerability alone is not the full picture.
Technical explanation
Example vulnerability: outdated library with RCE.
Example threat: internet attackers scanning for that RCE.
Example risk: production customer-data service is compromised, leading to data exposure and downtime.
Hands-on example
Hands-on: document a risk register entry with asset, vulnerability, threat actor, exposure, impact, current controls, likelihood, residual risk, owner, due date, and decision: remediate, mitigate, transfer, or accept.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]