Security has never been more important than it is right now. As a society, we have become comfortable with putting much more sensitive and important information in areas that we don’t control. On top of that, we work collectively, with many of the applications we used to host on our own systems now being hosted in the cloud. While these new trends create tons of possibilities, the growing complexity of systems, the sensitivity of data, and widening access to our networks means that the role of the dedicated security engineer has become essential to most companies.
Security Engineers are not simply your standard software engineer or developer that has been pulled in from another function to look at security. The best candidates have unique skill sets and approaches that make them uniquely suited to this purpose. Security Engineers require a dedicated screen separate from the other technologies that you use. Keep reading to find out exactly what your security engineer needs to know and how to find out if they know it.
1. What is a security engineer?
It used to be that engineers and developers were responsible for the security of the systems they worked on. Probably, sometime in the early eighties, one or two companies started hiring people with the sole purpose of focusing on security but the role of the security engineer didn’t really gain popularity until the early 2000s.
1.1 What are security engineers responsible for?
A security engineer’s primary goal is to prepare your company against cyber attacks. Among other things, they’ll fix unsafe procedures, apply software and hardware update policies, and design access controls to various systems and data.
Security engineers are always thinking about threats to your system. This means being responsible for defining, enumerating on, and modeling any and all potential security threats. They are also responsible for recognizing the security requirements of your computer systems and networks. So how do they do this?
1.2 What types of work do security engineers do?
Engineering Solutions are a big part of the job. Security engineers also implement and enforce security policies. With policies in place, it’s been up to them to monitor, maintain, and apply any mitigations, countermeasures, and other security infrastructure. They’re also responsible for creating and then developing incident response actions and guidelines.
Protecting systems is certainly one part of the job, but security engineers often have to think a step further to the types of assets that those systems are storing. In addition to protecting the network and IT infrastructure of your company, they also focus on securing the company’s intellectual property held in these places. They also deal with some physical security as cyber attacks often have a physical component.
1.3 Why have a security engineer?
A security engineer or a team of security engineers take ownership of this crucial area of software development. By developing a specialist competence in security, security engineers are able to achieve better results than a normal development team would. This is primarily because they’re better able to keep up with new threats including vulnerabilities found in popular software. By making it their job to react to these threats, they can protect the company before these are used against them. By maintaining a dedicated security engineer or security team, your company can go on the offensive against threats and defend themselves rather than having to mitigate the effects of a security breach.
The benefits of increased IT security means you are increasingly finding a dedicated person or a team dedicated to security pop up in mid to large companies where you would not have found one just a few years ago. These teams will often include pentesters in addition to security engineers. Pentesters are the ying to a security engineers yang. A security engineer builds defenses in your system while the pentester tries to find ways to break through them. By revealing vulnerabilities, the pentester helps the security engineer build stronger defenses.
The best security engineers are specialists in the subject. That said, there are no formal requirements to become a security engineer. For most people, it’s a mix of having a strong understanding of computer science mixed with an understanding of human psychology.
2. What is important for an IT Recruiter to know about security?
Paradigm shifting events are rather rare in security. But that fact should not encourage complacency. All you need to do is pay attention to how often updates come to your antivirus to realize that new attacks, vulnerabilities, and other security problems are a daily occurrence.
Over time, these attacks tend to change and evolve in certain directions. For example, nowadays it’s more common to find an XSS attack rather than a formerly popular malicious Java applet. What a recruiter does have to understand though is that security requires a very broad knowledge of IT topics.
Security Engineers need to understand system administration, computer networks, and programming. They also need to understand how these components all come together to create barriers and fix weaknesses. A holistic system approach can efficiently deal with security issues across a network.
3. What tools and techniques should a security engineer be familiar with?
Like many developed areas of technology, there are a plethora of tools available to security engineers. These include frameworks, libraries, and other tools used to track, defend, and determine the probable causes of security breaches.
In addition to tools, security engineers need to understand more domain specific issues. These include social engineering, phishing, buffer overflows, XSS, zero-days, and Metasploit. They should have a good knowledge of administrative tools, firewalls, antivirus solutions, and threat modeling. Finally, an understanding of Intrusion Detection Systems/Intrusion Prevention Systems or Security Information and Event Management systems is required on a daily basis.
3.1 helpful experience for security engineering candidates
To help deal with security-related issues, skills in server administration, fleet administration, network administration, and basic script programming are important. A good indicator that your candidate has dealt with security issues is commercial experience in similar positions. Outside of commercial experience, being a contributor to security-related open source projects and taking part in events that are security related such as CTF games or security conferences are a strong indicator of interest in security skills. Experience with pentesting or security research is also helpful.
4. Screening a security engineer using their resume
Your candidate’s resume is a good place to start to find out what they are familiar with. But it’s real value is as a guideline for questioning during the interview stage. In addition to looking out for the experience that we mentioned above, it is important to look out for certain important technologies on a candidate’s resume. To help you out, we have compiled a glossary of security-specific terms.
4.1 Security engineer glossary for technical recruiters
|APT (Advanced Persistent Threat)||A long term attack, where an attacker or a group of attackers stay covered for a long period of time, usually using advanced techniques and exploiting unknown vulnerabilities known as 0 days.|
|Arbitrary Code Execution (ACE)||See Remote Code Execution.|
|Antivirus||Software dedicated to extending security, especially for end nodes. It is used to detect malware or unwanted software using either static analysis using signatures or behavioral analysis.|
|CCNA Security Certification (Cisco Certified Network Associate Security Certification )||Cisco security oriented certification.|
|CIA Triangle/Triade/Principle (sometimes called AIC to avoid mistaking with an intelligence agency)||CIA stands for Confidentiality, Integrity, and Availability. Three key aspects of security that help in threat modeling and ensuring the security of the computer system.|
|CISSP (Certified Information Systems Security Professional)||A well known and respected security certification.|
|CSRF (Cross Site Request Forgery)||An attack that exploits the trust that the site has for user/browser. The attacker tries to trick an authenticated user into involuntary executing an action e.g. by sending a prepared link.|
|CVE (Common Vulnerability and Exposures)||A system maintained by MITRE Corporation that provides unique IDs for publicly known vulnerabilities.|
|DLP (Data Loss/Leak/Leakage Prevention)||Technologies and set of tools used to ensure vital data security. DLP systems use transparent encryption/decryption methods to filter traffic that contains critical and valuable data to ensure that unencrypted information will never leave the organization’s network.|
|Hardening||Steps that are taken to enhance the security of an application or a computer system by applying patches, installing additional modules, or removing unnecessary parts. Hardening reduces the attack surface and, in some cases, prevents the attacker from doing any meaningful harm after successful hack.|
|HSTS (HTTP Strict Transport Security)||A security measure that protects against lowering the security standard of transmission over HTTPS.|
|Social engineering||Hacking humans instead of machines (e.g. convincing the secretary that she is supposed to copy a document, instead of breaking in and stealing it).|
|IDS/IPS NIDS/HIDS (Intrusion Detection System / Intrusion Prevention System Network Intrusion Detection System/Host Intrusion Detection System)||Systems providing tools for detecting, recognizing, and reporting malicious behavior that may be caused by an intrusion. IPS also provides the ability to mitigate intrusions after detecting them.|
|Test di penetrazione||An authorized process of security testing of a system or an application that simulates a real-world attack. It provides knowledge about the actual security of the tested subject. Penetration testing can be divided based on the knowledge that testers have. White box is a type of attack where the attackers have deep knowledge about the target. In contrast, black box is a scenario where the testers have little or no knowledge about the tested system.|
|Malware/ransomware||The term malware stands for malicious software and describes programs that are harmful by design. Malware is a broad term that describes multiple types of malicious software like computer viruses, rootkits and, worms. Ransomware is the malware that locks users data, usually encrypting it and demanding ransom for decryption.|
|Metasploit||Software developed and maintained by Rapid7. It could be called a pentester’s swiss army knife. Metasploit provides a database of known exploits and additional software and methods (for example used for Antivirus evasion) that help conduct penetration testing.|
|Nmap/port scanning||Port scanning is the process of determining which network ports are opened by sending TCP or UDP packets to and investigated host and interpreting the response obtained. Nmap is a popular port scanner, a tool that is used to conduct port scanning.|
|OSCE (Offensive Security Certified Expert)||Penetration testing certification.|
|OSCP (Offensive Security Certified Professional)||Penetration testing certification.|
|PBKDF||In cryptography, KDF (key derivation function) is a function that produces secret keys based on a secret input. PBKDF stands for password-based key derivation function and is used to derive a secret key from a user’s password.|
|Phishing||An attack type aiming to obtain user credentials, confidential data. It usually consists of sending emails impersonating some authority (like security stuff, chief, employer) and redirecting users to a website that imitates a trusted login page. This can be done by having an URL domain differing on letters that are similar (like capital i and small L) or typosquatting for example. It is an attack that exploits not only technical vulnerabilities but also using social engineering.|
|Red Team||A group of security specialists which challenges an organization’s security systems and procedures in real-world scenarios. Red team assessments may use not only cyber vectors but also physical ones like breaching into buildings, planting devices in an organization’s networks and computers that may help to compromise its systems. A possible outcome can be to exfiltrate confidential data. Red teams are hired to help training blue teams – specialists whose job is to keep a company’s system secure, monitor and respond to incidents, and minimize the effects of breaches.|
|RCE/ACE (Remote code execution/Arbitrary code execution)||Describes the impact of vulnerability that allows the attacker to execute arbitrary code or commands on the targeted system. RCE occurs when the attacker is able to execute arbitrary code on the remote host over the network.|
|Sandbox||A term used to describe a type of secure, unprivileged, and isolated environment where untrusted software can be executed without causing any harm to other systems.|
|SIEM (Security Information and Event Management)||Complex tools used for logs aggregation, monitoring, and reporting real-time analysis of alerts and events generated by software and hardware solutions in an organization’s network.|
|SPAM||Unwanted and unsolicited messages sent via email.|
|Spear-phishing||Highly aimed phishing attack focused on one person/organization etc. Usually preceded with long and exhaustive reconnaissance.|
|SQL Injection (SQLi)||One of the most popular attacks targeting database queries in applications. They are caused by improper sanitization, encoding, and handling of user provided data. SQLi attacks lead to the execution of arbitrary SQL statements on database and exfiltration or modification of its contents.|
|SSTI (Server Side Template Injection)||A code injection technique that occurs when the server uses user submitted data in the template. This type of attack may lead to a server-side arbitrary code execution.|
|Threat modeling||This is a process which recognizes, identifies, and prioritizes potential threats. For example, it could expose vulnerabilities that could be exploited by an attacker to compromise computer systems. Threat modeling helps to design and implement procedures, policies, and actions to secure valuable assets making attacks unprofitable. To make threat modeling easier, methodologies like VAST were designed.|
|VAST (Visual Agile and Simple Threat modeling)||A methodology used in threat modeling.|
|Vulnerability Assessment||A process of searching a system for known threats (known vulnerabilities) using techniques like port scanning and services fingerprinting. During vulnerability assessments, results are analyzed to determine the weaknesses of the system and mitigations are provided to minimize the risk or impact of a possible attack.|
|WAF (Web Application Firewall)||A tool used for hardening web application. WAFs validate user input and monitors requests for malicious ones, then block them and report.|
|XSRF||Yet another acronym for CSRF|
|XSS (Cross-Site Scripting)||
|XXE (XML External Entity)||An attack targeting XML processing applications which do not properly handle references to external entities. Usually, this type of vulnerability leads to data disclosure.|
4.2 The most common security engineering names that are used interchangeably
- CRSF <-> XSRF (see glossary)
4.3 Versions of security topics that are completely different
- SSTI usually is preceded by XSS, but it leads to server-side code execution. In contrast, XSS is about executing client-side code.
4.4 How important are security engineering certificates for assessing a candidate’s coding skills?
Certificates certainly aren’t everything but there are some notable certificates that are respected for security engineers. These are good to have but are not essential. The most common respected ones are:
- CCNA [Security]
4.5 Other things to look out for on a security engineer’s resume
- It is good to have a list of submitted CVEs (see glossary)
5. Security engineer interview questions to ask during a phone/video technical interview
A security engineer resume can give you a clue about a security engineers knowledge and experience, but it’s important to be able to test what the candidate can actually talk about, and how they have applied their knowledge in the past.
5.1 Domande sull'esperienza del candidato
Q1: Have you handled a breach? How did it happen? How could it be prevented?
Why you should ask Q1: The candidate will be able to share their experience with the given industry. Huge breaches do not happen daily, but minor accidents do, so the candidate should have some thoughts and conclusions on that topic. Note that specific cases are vital information and details may be confidential so an interviewee may not be allowed to talk about them.
Q2: What’s your opinion about the security engineer role in the company?
Why you should ask Q2: The candidate should know the responsibilities of a security engineer in an organization. Note that particular tasks may be out or in the scope of this function – it depends on the organization’s structure.
Q3: What do you think about BYOD (bring your own device)?
Why you should ask Q3: No matter what side of the augment the candidate chooses, it’s key to understand the risks, weaknesses, and proper handling of untrusted devices and access to the organization’s data.
5.2 Domande sulle conoscenze e le opinioni del candidato
Q1: What is a threat, vulnerability, exploit, and mitigation? (explain)
Why you should ask Q1: This question will allow the candidate to show their understanding and basic knowledge of terms used in IT security. The candidate should point out that mitigations are patches/corrections applied to software (or other mechanisms used for example on kernel level) to prevent exploiting the vulnerability.
Q2: What is a SQL Injection and how it differs from XXE? (explain)
Why you should ask Q2: The candidate should be able to show a basic understanding of some common vulnerabilities encountered in modern applications.
Q3: What leads to SSTI (server-side template injection) and is it more dangerous than XSS? How do they differ?
Why you should ask Q3: Vulnerabilities are complex. Sometimes, the occurrence of one type of mistakes may hint that another part of the application is also misbehaving and the real threat has a much higher impact than was initially thought.
Q4: What are: IDS, IPS, and EDR. How they differ?
Why you should ask Q4: The candidate should be able to differentiate the basic classes of tools used to discovering and preventing attackers from causing losses.
Q5: How does asymmetric encryption work? When should you use it? What are the pros and cons in comparison to symmetric encryption? Name one symmetric and one asymmetric encryption algorithm.
Why you should ask Q5: Cryptography is ubiquitous in securing modern day applications. The candidate should know drawbacks of asymmetric encryption (e.g. speed).
Q6: What is the difference between stream cipher and block cipher?
Why you should ask Q6: The candidate should be able to show basic knowledge about tools provided by modern cryptography and their use cases.
Q7: What is hashing (cryptographical), what it is used for, when, and how does it differ from encryption? Name one hashing algorithm that should not be used and one “not proven unsecure”.
Why you should ask Q7: The candidate should know that for example storing passwords of clients in plaintext is a reprehensible practice and this is the place where hashing functions should be deployed. For example, the unsecure function is MD5. SHA256 is still not proven to have collisions and it’s rather safe to use it.
Q8: What is PBKDF, how does it work? Why use it?
Why you should ask Q8: The candidate should be able to show knowledge about the existence of these mechanisms and efficient/convenient ways of implementing security on a daily basis.
Q9: How CSRF differs from XSS?
Why you should ask Q2: The candidate should be able to differentiate classes of common vulnerabilities.
Q10: What is a fingerprint?
Why you should ask Q10: This topic allows the candidate to talk about methods of identifying encountered systems. The technique is usually used by the attacker in the reconnaissance phase. The candidate may also talk about unique fingerprint based tracking methods.
Q11: How to check if the downloaded file is correct?
Why you should ask Q2: This question gives the candidate the ability to show some practical and basic knowledge about checksums, hashing algorithms, and cryptographic signatures.
Q12: Explain the CIA principle.
Why you should ask Q12: The CIA principle or CIA triangle is a basic model used to create security policies. The candidate should be able to use it to show their deep knowledge of which rules should be considered when developing rules and policies.
Q13: What is port knocking?
Why you should ask Q13: The candidate should be familiar with basic security measures. This question is a little bit tricky because port knocking shouldn’t be considered bulletproof.
Q14: Name secure protocol to manage remote servers?
Why you should ask Q14: The candidate should be able to talk about basic tools ensuring security during daily tasks like remote servers management. SSH is one of them.
Q15: What is rlogin and should it be used? Why? Why not? Explain
Why you should ask Q15: IT security is a very dynamic field but sometimes environments must address legacy requirements. That’s why they use old technologies like rlogin. By answering that question, the candidate can prove they have an in-depth knowledge of security tools and knows which of them lacks security and why.
Q16: What is hardening?
Why you should ask Q16: This question should give the candidate an opportunity to talk about various methods of making the environment and applications more secure.
Q17: What is penetration testing? What is vulnerability assessment? How do they differ? What is a security audit?
Why you should ask Q17: This question is a little bit tricky. Sometimes these terms are misunderstood and used interchangeably. Management may misuse these terms, so the candidate should be familiar with them and know the differences.
Q18: Name one pentesting guide.
Why you should ask Q18: Pentesting reports usually appear on a security engineer’s desk. The candidate should be able to know some guidelines of penetration testing not only to properly handle reports but also consider features not affected by the pentest.
Q19: What is PKI (public key infrastructure)? How does it work?
Why you should ask Q19: By answering this question, the candidate can prove their knowledge of handling authentication provided by cryptographical solutions. The candidate should be conscious of the assumptions that go with this kind of mechanisms.
Q20: What is Kerberos? What it’s used for? Can it be used in Windows domains?
Why you should ask Q20: A large organization’s networks need special solutions to reduce attack surfaces in areas connected with access restrictions. The candidate can show their understanding of one of the most popular solutions, its advantages, and limitations.
Q21: What is certificate pinning? How to do it properly?
Why you should ask Q21: This question is about ensuring security despite communication over an insecure channel. It will help the candidate to show their knowledge of common mitigations.
Q22: What you do when your private certificate is stolen?
Why you should ask Q22: The is a practical question which gives the candidate the opportunity to talk about actions that are rather rare but have a really strong impact on company security. This may be a very stressful and dangerous situation and knowing how to deal with it is one of the software engineering attributes.
Q23: Name one popular vulnerability scanning tool?
Why you should ask Q23: This question, while not strictly about a security engineer’s job, enables the candidate to prove their knowledge of tools used in security assessments.
Q24: What is a blue team, red team, and purple team? Which one is the most important one?
Why you should ask Q24: Based on this question, the candidate will show if they are more into offensive security or defense. But no matter the choice, these questions will show an understanding of modern-day security challenges and solutions.
Q25: What is DLP, how does it work?
Why you should ask Q25: This question will give the candidate an opportunity to talk about some techniques that help to prevent or localize data leakage.
Q25: What is WAF? Name one WAF solution.
Why you should ask Q25: Web applications are really popular these days. That’s why they become targets very often. The candidate should have some knowledge of the possibilities of protecting them and common products that can be applied.
Q26: What is SOP (same origin policy)?
Why you should ask Q26: The candidate should be able to speak about those mitigations as they are implemented in modern browsers, their strong points, and weaknesses.
Q27: What is CSP (content security policy), when should it be used?
Why you should ask Q27: Since XSS has stayed on top of the OWASP Top 10 list of vulnerabilities, this question will allow the candidate to show that they are familiar with this problem and know the proper mitigations.
Q28: How to mitigate SQL Injection?
Why you should ask Q28: This question enables the candidate to talk about some basic mitigations used in applications (e.g prepared statements) to ensure that user-provided data is handled the right way and stays classified as untrusted.
Q29: What is HSTS? Why you should use it?
Why you should ask Q29: The man in the middle has a great impact on security. The candidate answering this question should be able to show a basic understanding of cryptography appliances and solutions which mitigate this dangerous attack.
Q30: Explain how TLS works (in a few sentences).
Why you should ask Q30: This question provides the opportunity for the candidate to talk about modern-day cryptographic solutions to secure insecure communication channels with very popular technology.
Q31: What is the difference between authorization and authentication?
Why you should ask Q31: This is a really basic question that will show that the candidate has a proper understanding of terms and challenges that they will be challenging every day in their job as a security engineer.
Q32: What are ACLs? How to use them?
Why you should ask Q32: This question will show that the candidate has proper knowledge of access restriction solution in modern day systems.
Q33: Name levels of confidentiality.
Why you should ask Q33: This question allows the candidate to talk about basic terms used to judge the level of the protection of assets in the organization.
Q34: What is RADIUS? When should you use it?
Why you should ask Q34: By answering this question, the candidate will show their in-depth knowledge of modern-day solutions for authenticating and authorizing users, which is the key level of assuring security.
Q35: What is VLAN, when should you use it? How does VLAN hopping work?
Why you should ask Q35: This question will allow the candidate to tell how to use network solutions for network separation.
Q36: How to secure WiFi in an organization? (network separation)
Why you should ask Q36: This is a broad topic. The candidate can show the understanding of the complex problem and their understanding of threat modeling.
Q37: Name three ways of security testing depending on the level of knowledge of the attacker. Which one is the most reliable and simulates a real-world scenario?
Why you should ask Q37: Pentests are one of the ways to challenge implemented security measures. The candidate will be able to show their level of knowledge of the simulated attacking team that will help with threat modeling and analysis of the reports.
Q38: Name every layer of the ISO/OSI model.
Why you should ask Q38: This question will provide the candidate the opportunity to show the basic knowledge of networks.
Q39: What is residual risk?
Why you should ask Q39: The candidate will be able to show their in-depth knowledge of threats and threat modeling. This is a key ability used in risk assessments.
Q40: Imagine you work for a small company. There are several interns employed each month for a short period of time. They need access to some servers and a WiFi network. How will you handle it?
Why you should ask Q40: This is a practical and broad topic that will allow the candidate to show their knowledge of networks and security solutions that help to ensure security in companies in a convenient way. He/she should point to mechanisms used to bypass the need for sharing and changing one password among the team.
Q41: What is a password manager? What should it be used for?
Why you should ask Q41: This question helps the candidate to show their knowledge about simplifying security mechanisms for end users.
Q42: Which policy is better – blacklisting or whitelisting, and why?
Why you should ask Q42: This question will enable the candidate to show a basic knowledge about the position of defenders in cyber-warfare. Knowing the disadvantages of whitelists may prevent catastrophic events in the future.
Q43: Define what a man in the middle attack is.
Why you should ask Q43: This question helps the candidate to show their knowledge about modern days’ threats and popular attacks. It should also give the opportunity to talk about countermeasures.
Q44: How does the Diffie-Hellman key exchange (DHKEX) work?
Why you should ask Q44: This question will allow the candidate to talk about one of the most popular and commonly used mechanism.
Q45: What is SIEM and how does it work?
Why you should ask Q45: The candidate will be able to show their understanding of the tools deployed to help to defend an organization’s assets.
Q46: What are DoS and DDoS? What’s the difference?
Why you should ask Q46: This is an easy question that will show a basic understanding of really common and old attacks that are still very popular nowadays.
Q47: How do you prevent DNS spoofing and how do you secure a DNS?
Why you should ask Q47: This question will enable the candidate to show his or her administrative knowledge and understanding of modern threats in organizations. Talking about securing a DNS will show that the candidate is familiar with cryptographic mechanisms and solutions provided to fight current threats in internal networks.
5.3 Behavioral Questions you should ask to understand how the candidate has acted in the past
Q1: The last two years were occupied by ransomware attacks that caused havoc in organizations and companies which caused giant financial and reputational losses. What steps would you take to prevent such accidents happen in your organization?
Why you should ask Q1: This question will allow the candidate to challenge modern days’ threats and show their creativity in solving non-trivial problems.
Q2: Your IDS reported a breach. What would you do to eliminate the threat?
Why you should ask Q2: This is a broad topic that will allow the candidate to show their understanding of security policies, understanding of the complexity of security problems and show their wide view on the problem.
6. Technical screening of security engineering skills using an online coding test
Security should not be an abstract concept that you think about. It should be an ongoing series of preparations against and reactions to the security threats that your organization is faced with. As we discussed, a major component of this is the ability to code, using tools to test the security of an application or network. The coding test that you use should reflect that.
6.1 Which security programming test should you choose?
When looking for the right security online programming test you should make sure they match the following criteria.
- They reflect the real work being done, with real contemporary security challenges
- They don’t take too much of the candidates time, one to two hours max
- They can be sent automatically and can be taken anywhere to give you and your candidate flexibility
- They go beyond checking whether the solution works to also check the quality of the code and how well it works in edge cases
- They’re as close to the natural programming environment as possible and let the candidate access the kinds of resources they normally would at work
- They let the candidate use all the libraries, frameworks, and other tools they normally would use, including the ones most important to the job
- They are at a proper level that matches the candidate’s abilities
7. DevSkiller ready-to-use online security coding assessment tests
Devskiller’s RealLifeTestingTM methodology is ideal for testing security engineer skills. The platform doesn’t ask academic questions. Instead, it sets up real security situations that a security engineer needs to approach using their experience and creativity. On top of that, the tests are graded automatically and you can see how the security engineer comes up with their solution. DevSkiller offers security test both with coding and systems. Here are a few you can try from.