Meta New Grad Security Engineer Interview Experience

One of the worst onsite interview experiences.

I was selected for a New Grad Product Security Engineer interview. The recruiter reached out and asked to schedule a meeting. The scheduling process was delayed multiple times. I finally completed a 60-minute screening round, which included 50% coding and 50% security-related topics. Question asked: Valid Palindrome and many scenario-based web security questions related to CSRF, XSS, Password Hashing, and cookies.

I qualified and scheduled an onsite round spanning two days in two consecutive weeks: Day 1: Security Code Review (Web In Domain), Security Systems Design Day 2 : Coding, Behavioral.

The Systems Design round was later rescheduled to a third week, extending the onsite process to three weeks. The security code review was a new type of round for a new grad role. I asked about the programming languages and frameworks I should expect. The recruiter repeatedly only provided coding resources and a generic interview prep guide, with no mention of specific languages or frameworks. It was clear the recruiter lacked understanding of the round's details.

In the code review round, the interviewer presented a codebase written in PHP. I have zero knowledge of PHP, and it was never mentioned on my resume or profile. The round was described as (Web in domain), yet it did not include any JavaScript. The interviewer presented a vulnerable server-side codebase in PHP. Despite stating my lack of PHP experience, the interviewer insisted I review the code. I tried my best, but reviewing a codebase in an unfamiliar language is challenging.

I appeared for the onsite coding and behavioral rounds. Questions asked:

1. 3 Sum: Only had to return a boolean if a triplet was found, not the list of triplets.
2. Make the shell script command cd: A variation of Simplify Path, but instead of starting from the root, the function takes another argument for the present working directory. Example: cd(pwd, path). If pwd = '/home/user' and path = '../document', the answer should be /home/document. path can be absolute or relative; if absolute, pwd should be ignored. Optimal solutions were required for both problems.

Behavioral questions were standard: Conflict resolution, best team, worst team, lessons learned, etc.

I also completed the Security Systems Design Round. The question was to design the UI of an online coding exam platform with security in mind (traditional systems design requirements like Scalability and Maintainability were out of scope). The interviewer was unhelpful and did not answer clarifying questions. When asked about candidate sign-in, the response was "You tell me, you are the architect here." When I asked about focusing on client-side (JS) or backend security, the response was "You decide whatever you think is more important." I was unable to clarify functional and non-functional requirements.

I was rejected.