Input Validation/Output Sanitization, with focus on the latter.
Nonces required by the server for each page or each request is an accepted, albeit not foolproof, method. Again, we’re looking for recognition and basic understanding here–not a full, expert level dissertation on the subject. Adjust expectations according to the position you’re hiring for.
Not knowing this is more forgivable than not knowing what XSS is, but only for junior positions. Desired wer: when an attacker gets a victim’s browser to make requests, ideally with their credentials included, without their knowing. A solid example of this is when an IMG tag points to a URL associated with an action
e.g: http://www.wisdomjobs.com/logout/. A victim just loading that page could potentially get logged out from foo.com, and their browser would have made the action, not them (since browsers load all IMG tags automatically).
All we want to see here is if the color drains from the guy’s face. If he panics then we not only know he’s not a programmer (not necessarily bad), but that he’s afraid of programming (bad). I know it’s controversial, but I think that any high-level security guy needs some programming skills. They don’t need to be a God at it, but they need to understand the concepts and at least be able to muddle through some scripting when required.
It does not, of course. Not natively. Good wers are things like “cookies”, but the best wer is that cookies are a hack to make up for the fact that HTTP doesn’t do it itself.
Look for discussion of account lockouts, IP restrictions, fail2ban, etc.
This is a fun one, as it requires them to set some ground rules. Desired wers are things like, “Did we already implement nonces?”, or, “That depends on whether we already have controls in place…” Undesired wers are things like checking referrer headers, or wild panic.
We’re looking for a basic understanding of the issue of wanting to serve the front page in HTTP, while needing to present the login form via HTTPs, and how they’d recommend doing that. A key piece of the wer should center around avoidance of the MiTM threat posed by pure HTTP. Blank stares here mean that they’ve never seen or heard of this problem, which me they’re not likely to be anything near pro level.
You’d be amazed at how many security people don’t know even the basics of this immensely important topic. We’re looking for them to say anything regarding an attacker getting a victim to run script content (usually JavaScript) within their browser.