Interview › Security & DevSecOps
What is a security incident response process, and what are its phases? [Advanced]
Answer
A security incident response process is a structured approach to handling suspected or confirmed security events. Common phases are preparation, identification, containment, eradication, recovery, post-incident review, and continuous improvement.
Technical explanation
Preparation includes runbooks, contacts, logging, access, tabletop exercises, and evidence-handling procedures.
Containment limits damage, eradication removes attacker access, and recovery restores trusted service.
Post-incident review should produce control improvements, not blame.
Hands-on example
Example: for suspected token theft, identify affected identity, preserve logs, disable the token, rotate related secrets, block suspicious sessions, verify no persistence, redeploy clean workloads if needed, restore service, and write a postmortem with detection and prevention actions.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]