Interview › Security & DevSecOps
How would you respond to a suspected credential compromise in production? [Advanced]
Answer
For suspected production credential compromise, I would treat the credential as exposed, contain access immediately, rotate or revoke it, investigate usage, assess blast radius, restore trusted credentials, and add controls to prevent recurrence.
Technical explanation
Containment should be fast: disable the credential or restrict its permissions while preserving forensic evidence.
Investigation should review audit logs, CloudTrail, Kubernetes audit logs, CI logs, IPs, actions performed, and time window.
Recovery should include rotation of dependent credentials, validation that attackers did not create persistence, and heightened monitoring.
Hands-on example
Runbook: 1) Open incident. 2) Revoke/disable credential. 3) Snapshot relevant logs. 4) Identify all actions by that principal. 5) Rotate downstream secrets. 6) Remove persistence such as new access keys or roles. 7) Verify service health. 8) Close with lessons learned.
Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.
More Security & DevSecOps interview questions
- What is DevSecOps, and how does it differ from traditional security gating at the end? [Basic]
- What does shift-left security mean, and why does it matter? [Basic]
- What is the difference between SAST, DAST, IAST, and SCA? [Basic]
- When in the pipeline does each of SAST, DAST, and SCA run? [Basic]
- What is the difference between SAST and DAST, and what does each catch and miss? [Basic]
- What is software composition analysis (SCA), and why does it matter for dependencies? [Basic]
- What is SonarQube, and what does it analyse? [Basic]
- Is SonarQube primarily SAST, code quality, or both? [Basic]