The test is simple: if a developer clones your repo, can they see any secrets? If yes, your secrets management needs work. Use a dedicated secrets manager and inject at runtime, never at build time.
Strong answers cover: never storing secrets in code or version control, using dedicated secret management tools (Vault, AWS Secrets Manager, SOPS), rotating secrets regularly, auditing access, handling secrets in CI/CD pipelines, and developer workflows that are both secure and convenient. Best candidates discuss the tension between security and developer experience.
Non-negotiable security skill. Secret leaks are one of the most common security incidents. Candidates who have implemented proper secrets management demonstrate security awareness. Ask: "What happens when a secret is accidentally committed to git?"