Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: What Portion of Developers Are Bad At What They Do?

Posted by Soulskill on from the very-small-shell-scripts dept.

ramoneThePoolGuy writes: We are looking to fill a senior developer/architect position in our firm. I am disappointed with the applicants thus far, and quite frankly it has me worried about the quality of developers/engineers available to us. For instance, today I asked an engineer with 20+ years of experience to describe to me the basic process of public/private key encryption. This engineer had no clue. I asked another applicant a similar question: "Suppose you wanted to send me a file with very sensitive information, how would you encrypt it in such a way that I would decrypt it?" The person started off by asking me if it was an excel file, a PDF, etc. In general, I'm finding that an overwhelming number of developers I've interviewed have poor understanding of key concepts, especially when it comes to securing data. Are other firms experiencing this same dilemma in finding qualified applicants? (Quite frankly it scares me that some of these developers are building sites that need to be secure)"

5 of 809 comments (clear)

  1. It's a vast field.... by jawtheshark · · Score: 5, Informative
    It's a vast field, and expertise of people is usually just a subset. I'm not even sure what the answer you you expected was, but I'd say: I'd use your public key to encrypt the file to you and then send it to you. Personally, I wouldn't know which commands to invoke to do this, but I know that's the theory.

    So, should any developer know this? That is debatable. I've had very competent developers who had next to no clue about how DNS works. They could do their job just fine with that. Me? Personally, I'm not up to snuff with the finer points of SQL queries and all the joins that exists and when it makes sense to create an index, etc. Could I find out? Most likely, but I haven't had the need to recently.

    The problem is, that you are mapping your knowlegde to "what people must know". I used to do that too, and I probably still do often enough. The DNS example above didn't come from nowhere: I had the case, and I was really thinking "how could such a competent person not know this", but then this person could probably enlighten me about dozens of things I don't know well enough.

    It all comes down to what you define as "general knowgledge" for a developer should be and that is highly subjective.

    TL;DR Hiring people is hard. Especially, technical people.

    --
    Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
    1. Re:It's a vast field.... by jawtheshark · · Score: 5, Informative

      There are also a plethora of "technically correct" answers. You could say: "I scp the file to your server", where you presume the server is secure, and ssh is secure, so the documents confidentiality is guaranteed. (Upload the file using https works as an answer too). Hey, just connect to the companies VPN and copy the file to a Samba share. Valid too!
      The question of what kind of file it was, isn't even that dumb. I'm not familiar with PDF, but I could -for example- imagine there is a standard for encryption within PDF. Someone from with a document management background would most likely think of such solutions.

      --
      Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
    2. Re:It's a vast field.... by pugugly · · Score: 5, Informative

      No, you (Alice) encrypt with your private key, then encrypt with 'Bobs' public key, then Bob decrypts with his private key and again with Alice's public key.

      Thus Both Alice and Bob are authenticated, and no one besides Alice and Bob can intercept.

      Pug

      --
      An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
  2. Re:Yes... by Grax · · Score: 5, Informative

    I keep hearing how hard it is to find good people but then the recruiters tell me that the potential employer can't meet my price point and that is the end of the discussion.

    --
    Coding Blog
  3. Asking the wrong questions, using the wrong metric by merick · · Score: 5, Informative

    I'm a web developer and I also haven an interest in understand public-private key crypto, PGP, steganography, physical security etc. The thing is, You don't need *any* of that to build good, secure websites. You should be asking about things from the OWASP Top 10 List if you want to gauge their ability to write secure code.

    https://www.owasp.org/index.ph...

    Otherwise you're judging them for not having the same "other" unrelated-to-your-job security interests as you.

    They should understand that they aren't trained enough to build their own authentication encryption systems correctly. They should use generally accepted procedures like BCrypting passwords with a unique per-user SALT that also uses a site-specific key. And that other sensitive fields should be blocked from being recorded in logs, data should be encrypted at rest, etc. But if they have poor OWASP skills, the sensitive data is still readable because it is accessed through the application which is decrypting it for an attacker.

    You're asking the wrong things and judging on unrelated skills.