In their book, "writing secure code, 2nd ed", Michael Howard & David LeBlanc talks about an exercise when interviewing new people.
The purpose is not to test the persons security skills but to ascertain how the person thinks about security issues.
They give an example:
----
The government lowers the cost of gasoline, however they place a tracking device on every car in the country and track mileage so that they can bill you based on distance traveled.
Ask the candidate being interviewed to assume that the device uses a GPS (global positioning system) and to discuss some of these issues:
- What are the privacy implications of the device?
- How can an attacker defeat this device?
- How can the government mitigate the attacks?
- What are the threats to the device, assuming that each device has embedded secret data?
- Who puts the secrets on the device? Are they to be trusted? How do you mitigate these issues?
-----
Do anyone use similar skills to interview new staff? I find this idea really nice. You force the person to think as a hacker in order to answer the questions, will his/hers answers satisfy your expectations?
Another interesting idea would be to draw up some code on a white board and ask the candidate to identify the buffer overflow.
How you guys any experience that resembles this?
Greetings,
Mads
