The dreaded job interview. From small talk to tough questions – it’s the true testing time for the interviewee. But if you’re the interviewer, control – and advantage – is on your side. When interviewing candidates for job positions that involve secure coding, i.e. development, QA, or related information security roles, what should you ask? Do you stick it to them with super-technical questions and allow them to show off their technical prowess or do you throw them some seemingly softball-type questions that, in the end, better showcase how they think, their personalities, and business skills? Read these 7 secure coding job interview questions below to find out.
I’m of the belief that we have a skills shortage in IT and security and it’s not what you think. You see, anyone can learn the technical details of software security. They can earn their degrees, obtain their certifications, and talk the techie talk but nothing will serve them better than having the interpersonal skills to work well with fellow team members, communicate security threats, vulnerabilities, and risks to management, and the like. Some solid emotional intelligence, business intellect, and good, old-fashioned common sense can be discovered through the following questions that I would certainly be asking someone interviewing for such a role:
Application Security Job Interview Questions:
1. What’s the one thing that you have found that contributes the most to software security risks?
Budget, lack of buy-in, communication breakdowns between development, IT/security operations, and management come to mind.
2. What are the most challenging aspects of software security impacting businesses today?
Things like getting right the first time, finding the low-hanging fruit promptly before the bad guys do, and even the various complexities associated with people/politics.
3. How can security be best integrated into the SDLC without getting in the way of the typical project deliverables?
Think properly-set expectations up front during the requirements phase, good tools, and open communications – especially those that involve the security team.
4. How would you go about finding security flaws in source code – manual analysis, automated tools, or both?
Hopefully they’ll lean more towards the latter. No one is good enough or has the time to do everything manually!
5. What part (or parts) of the OWASP Top 10 do you have the most experience with? Which flaws are most impactful to a business’s bottom line?
Ideally, they’ll be familiar with the OWASP Top 10. It’s not uncommon to meet developers and QA professionals who have never heard of it.
6. From developers to end users to executive management, what do you think is the best way to get and keep people on board with software security?
Anything from awareness training to technical controls to open lines of communication can come into play.
7. How do you determine a vulnerability’s severity?
The key is “what’s the business risk?” For example, if it’s a seemingly-ugly SQL injection issue that’s not actually exploitable or, if it is, there’s nothing of value to be obtained, is that critical, high, or just a moderate flaw? Understanding how job candidates think and relate to business risk can be extremely impactful to their overall value to your organization.
Many (arguably most) people in development and QA – and even security to an extent – reach maximum creativity and work most efficiently by themselves. That’s great when you’re in college knocking out computer science projects. However, that’s not what’s required when solving business
problems in today’s world. Ask tough questions such as these. You’re going to the most honest, off-the-cuff answers since interviewees are likely not going to expect them.
It certainly doesn’t hurt to evaluate the technical skills and security knowledge of your job candidates. For that, you could certainly delve into input validation and its associated challenges, user session management and related flaws, etc. Emotional intelligence and people skills will mean nothing for the position if a candidate knows nothing about the work involved. Just know what you want/need and what’s going to mesh well with your corporate culture. If you ask the right questions from a broad perspective so you can get to know each candidate better, you’ll eventually end up with the right person for the job.
Interested in learning more about cyber security career paths? Read Cyber Security Today: Career Paths, Salaries and In-Demand Job Titles