You do not need to be a security expert to catch common vulnerabilities. Test every input field with basic payloads, verify authorisation on every endpoint, and run automated scans as part of your CI pipeline.
Strong answers cover: OWASP Top 10 awareness, testing input validation (SQL injection, XSS, CSRF), authentication and authorisation testing, automated security scanning tools (OWASP ZAP, Burp Suite), and integrating security checks into the CI pipeline. Best candidates discuss the boundary between QA security testing and dedicated penetration testing.
Increasingly expected QA skill. Candidates who include basic security testing in their QA process add significant value. Ask: "What is the most interesting security issue you have found during testing?"