Questions when interviewing new people

From: Mads Rasmussen (mads_at_opencs.com.br)
Date: 04/15/04

  • Next message: Zarina Musa: "security risks" 
    Date: Thu, 15 Apr 2004 09:08:47 -0300
To: secprog@securityfocus.com, sc-l@securecoding.org

    In their book, "writing secure code, 2nd ed", Michael Howard & David
    LeBlanc talks about an exercise when interviewing new people.
    The purpose is not to test the persons security skills but to ascertain
    how the person thinks about security issues.

    They give an example: 

    ----
The government lowers the cost of gasoline, however they place a 
tracking device on every car in the country and track mileage so that 
they can bill you based on distance traveled.
Ask the candidate being interviewed to assume that the device uses a GPS 
(global positioning system) and to discuss some of these issues:
- What are the privacy implications of the device?
- How can an attacker defeat this device?
- How can the government mitigate the attacks?
- What are the threats to the device, assuming that each device has 
embedded secret data?
- Who puts the secrets on the device? Are they to be trusted? How do you 
mitigate these issues?
-----
Do anyone use similar skills to interview new staff? I find this idea 
really nice. You force the person to think as a hacker in order to 
answer the questions, will his/hers answers satisfy your expectations?
Another interesting idea would be to draw up some code on a white board 
and ask the candidate to identify the buffer overflow.
How you guys any experience that resembles this?
Greetings,
Mads
  • Next message: Zarina Musa: "security risks"