Slashdot Mirror
Ask Slashdot: What Portion of Developers Are Bad At What They Do?
ramoneThePoolGuy writes: We are looking to fill a senior developer/architect position in our firm. I am disappointed with the applicants thus far, and quite frankly it has me worried about the quality of developers/engineers available to us. For instance, today I asked an engineer with 20+ years of experience to describe to me the basic process of public/private key encryption. This engineer had no clue. I asked another applicant a similar question: "Suppose you wanted to send me a file with very sensitive information, how would you encrypt it in such a way that I would decrypt it?" The person started off by asking me if it was an excel file, a PDF, etc. In general, I'm finding that an overwhelming number of developers I've interviewed have poor understanding of key concepts, especially when it comes to securing data. Are other firms experiencing this same dilemma in finding qualified applicants? (Quite frankly it scares me that some of these developers are building sites that need to be secure)"
Because PKI is more of a specialization, not a fundamental.
I am very small, utmostly microscopic.
Having been interviewing people recently, it's almost impossible to find people who are half decent. Slashdot likes to make out like there's a huge glut of good engineers without jobs in the US. If it's true, then I haven't found them. What there is is a huge number of people who don't understand how anything at all works.
For instance, today I asked an engineer with 20+ years of experience to describe to me the basic process of public/private key encryption. This engineer had no clue.
Yeah, and? Not everyone is going to know the ins-and-outs of every single field of software.
I am disappointed with the applicants thus far, and quite frankly it has me worried about the quality of developers/engineers available to us.
Unless you claim that you know everything about everything, I'm sure I could find areas that you had no clue about as in these engineers you refer to in the previous sentence. Does that make you a bad developer?
There is far more that can be known than a single person can know, so you should never, ever assume that a developer is skilled (or even knowledgeable) in a particular specialty based only on the number of years experience they have. I think you're doing a disservice in your process for finding qualified applicants: if you want them to know about PKI, for example, then you need to specify that in the job listing.
You don't need to hire experts right off the bat. What you want to hire is someone who recognizes that they don't know the answer, and tells you that, and then immediately says they'd go research it to find out. "Can I Google that?" is a perfectly valid answer sometimes. If you hire a person who knows how to learn whatever it is you need them to become an expert in, you'll have a new employee who is not only going to be a valuable asset for where you're hiring them, but also has the flexibility to expand to other areas when necessary.
TL;DR: Stop looking for purple unicorns, and start looking for fast learners.
Occasionally living proof of the Ballmer peak.
This is a common problem... interviewers asking questions that have no relevance to any of my work experience or interests.
This is a problem I see in the entire STEM field. You work on technology X for a while, you learn it inside and out, and you expect everyone else who is "qualified" knows what you know. You want to hire someone with no ramp, who is going to drop in on day 1 and start doing great stuff, just as soon as he sets a password to his laptop.
In practice the fields are so huge, that it's fairly unlikely anyone has the domain knowledge you've acquired in your niche, unless you hire direct from a competitor (in which case you better pay well, or be offering something huge). A more reasonable approach is to weed people out based on their general skillset (i.e. what they should have learned in school), based on resume lies, and general attitude and disposition: excessive use of the passive voice, reluctance to commit to anything, points in their discussion where they failed to pursue issues to the next level, excessive number of employers, etc. Then expect it's 6 months before they start producing something that doesn't require you to hit them for. If you're afraid they will leave in 6 months, you're not paying enough or else you hired an incompetent and he's doing you a favor.
Indeed, it seems like if you're hiring for a very specific skill set, state that in the job req. If its a very narrow skillset and you want them to be up to speed from the get go, be prepared to pay a premium. Otherwise you might want to give more attention in the interview to what they can learn vs what they currently know. Especially in security related applications where things change all the time.
I'm not saying a developer shouldn't likely know at least something generally about public key cryptography, but the skillset of building a secure website is VERY different from that of using GPG to send a secure email to this guy doing the interview. Does the job posting specify a need for cryptography expertise specifically? There is a vast array of technical knowledge out there and you can jack-of-all-trades-master-of-none types or specialists in one or a few areas, but not all. To therefore say that these developers are "bad at what they do" smells strongly of a frustrated, non-tech-savvy interviewer/manager who doesn't understand why he can't hire someone today to build him a perfect website that will be ready next week.
Are you a hot magnet company? (well known pre-IPO) Are you paying above market value?
My guess is that the best devs have already been scooped up, and the ones interviewing are comfortable enough where they are
No doubt he's looking for an excuse to get some H-1B guys in there.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Title asks "Ask Slashdot: What Portion of Developers Are Bad At What They Do?"
Title actually means "Ask Slashdot: What Portion of Developers Are Bad At What I Do?"
If a functional understanding of a fairly specialized technological area is what you have in mind, don't assume it's widespread.
That's like getting bent out of shape if the local mechanic (fully trained and certified, even) doesn't know the detailed intricacies of ECM programming.
If you want a broadly expert Renaissance Engineer, I hope you're prepared to pay more than the usual one-trick-monkey pay. You're not talking about an engineer, there. Something more like Chief Engineer or Chief Scientist.
Welcome to the Panopticon. Used to be a prison, now it's your home.
An "expert in cryptography"? He's looking for someone who can tell him to use a public/private key pair... that really should be common knowledge in software engineering.
I don't expect every developer to be an expert in cryptography. I do expect every developer to have a basic understanding of cryptography, which would include the type of understanding that the poster was asking for. What is PKI? How would I use it? I don't expect you to develop a secure cryptographic library and I don't expect you to develop the microprocessor in your computer. But I expect you to have a basic understanding of how a microprocessor works.
I'll see your senator, and I'll raise you two judges.
that really should be common knowledge in software engineering.
For what reason exactly? Cryptography doesn't apply to many fields of software.
I'm pretty sure knowing about algorithms, data structures, and being able to quickly pick up new languages/frameworks/etc. is far more relevant to the quality of a software developer than knowing some single specialty of software.
You aren't evaluating candidates. You are making a common interviewing mistake and fishing for specific answers. You (wrongly) assume that a matching answer is a good answer.
How many are bad? I'd say 15-20%. Same as every field. But you aren't looking for "not bad" you are looking for "does it the way I'd do". That's different. Why is file-level or transfer level encryption "wrong" for your question, and message-level encryption the only acceptable answer? I know plenty of people that would find your clumsy "email it" answer to be incompetent, and they'd look for SCP as the only correct answer.
The fact that the candidate recognized that and tried to gather more information to give the right answer shouldn't be counted against him, as you did, but indicate that he's good at clarifying unclear requests (which is just about all of them).
Learn to love Alaska
Almost everybody is extremely bad at their jobs. Especially in IT, but in general too. I would say a solid 85% of people working in IT today should not be in the field.
I work in Security and so my job is basically to know, at a high level, how other people should do their jobs. Of course there are compromises that have to be made for functionality and cost, but in reality most IT systems are developed and architected in a way that no one should architect anything for any reason. The amount of money that's wasted because of poor infrastructure is astonishing. Companies could have an architecture that's twice as secure and probably half the cost to maintain if they were willing to make a one time investment in doing it properly.
Developers are a weird animal too. I know I'm playing with fire saying this on Slashdot. :) In my experience developers have a deep understanding of how systems work and are designed (obviously), but their understanding is *extremely* narrow. This is by no means true of all developers, but it's true of a lot. They can write brilliant code, but they can't tell you how to go about FTP-ing a file, how to encrypt an email, or how a domain works. It's a specialized skill set.
At a previous company I had to call support because my computer didn't grok with the domain and wasn't getting group policy. The tech, with her domain admin access, comes over and is obviously floundering trying to fix the problem. I suggest running a DOS command I know...she googles it and pulls it up...she gets to the command prompt and starts typing, "command\optionfoobar-x7", etc. How can you possibly be in that field and not know the *most basic structure* of a DOS command? I don't care if you know the command and options, everyone googles that crap, but you don't know how to type it in properly? A backslash and no spaces? Really? Even when you're looking at a webpage which has it verbatim?
Its no wonder things are in the state they're in.
I've sat through an upsetting number of tech interviews. Getting someone at the high end is a really horrible experience. People come in with very impressive resume's only to show no real skillset.
I don't think having some lack of understanding of encryption is a non-starter.
But I do want to see that someone has a good breadth of experience, and can talk about a good number of things at some base understanding:
How a file system works,
how a network works,
how memory works,
how a repository works,
how a software build works,
how to use editor functions far beyond what can be done by microsoft notepad,
how to use a regex,
how to make a presentation from data,
how to make a lamp webpage,
how to merge tables from multiple databases,
how to do statistical tests on data,
how to set up proper controls for experiments,
how to write. The other part is that bad applicants pervade the pool. Good hires get hired, and held onto -- Bad hires don't get hired, or get released back in the pool. If you want a good hire, there is a bunch of crap applicants to wade through, or you pay the cash to lure talent away from a lucrative job.
Oh the subject.. Eventually gave up on hiring a senior, and posted for a junior position, and got far better applicants than we ever saw for the senior position.
It all comes down to what you define as "general knowgledge" for a developer should be and that is highly subjective.
Can I be snarky for a moment and just enjoy the irony of a sentence that wonders what should be considered to be "general knowledge", and it has the word "knowledge" misspelled? :) Continuing with the theme, I'm sure I just made a run-on or something in the midst of my pedantry.
OK, back to business. This is a hard question to answer for a senior developer, what should be considered to be "general knowledge". I think that to be a successful developer at the senior level, you really need to know a little bit about a lot of things, and be able to look up what you don't know.
By way of example, as a developer, if I were to see something like "192.168.0.0/24", I recognize that immediately as an IP address range in CIDR notation. Mind you, I have no earthly clue how to compute that range--I'm not a network guy--but I know what it is in the general sense. Enough to google for "CIDR calculator" in order to compute the range in a format that I understand.
Part of being a developer is having a decent working knowledge of security concepts. Like "Oh, I'm sending a file across the public Internet. Someone could intercept that. I'd better protect it somehow with encryption." Maybe the developer doesn't quite know what type of encryption to use yet. Should the connection be encrypted, or the file? Or both? Is it required to verify the authenticity of the file? Should it be signed? Or is it good enough to verify the remote host? Or some type of login?
Incidentally, I disagree with OP that the answer of "The person started off by asking me if it was an excel file, a PDF, etc." was totally unacceptable. Excel and the PDF standards both have encryption support, so if the "sensitive data" were an Excel file, the path of least resistance would be to pointy-clicky through the menu and click "Encrypt this here spreadsheet" (or whatever the command is). Likewise with the PDF, but with Acrobat instead. Of course this does not solve the general problem of "how do I protect sensitive data?", but maybe he doesn't want to bother looking up and verifying your public key, installing GPG or setting up S/MIME or whatever if a simple solution exists. If I were to send you a spreadsheet of salary data for the company, you can bet I'd just encrypt the fucker within excel and tell you the password via some other channel like the telephone.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
I would like it flip it around and ask you why do you think your companies are actually worth working for? Are you going to employ us when we are 40, 50, 60+? Are you going to ask me a bunch of stupid questions even though I have 20 years of work in my portfolio? I just don't understand why its so acceptable for employers to be so arrogant in the IT world compared to other professions.
If companies really wanted good people they would:
I have found that software development might be a decent job, but a horrible career. I'm going to go raise goats and make cheese (sorry ranting)
I laugh at inappropriate times.
You're asking "developers" questions about "information security" by using vaguely worded questions that even "information security" experts would need to clarify, and when you don't get the results you're looking for, you take to the internet and declare that you are "worried about the quality of developers/engineers". I am quite sure that many of your interviewees have left your facility worried about the leadership qualities at your firm as well.
Try asking very broad open-ended questions such as, "Tell me about your general understanding of different types of encryption processes, and elaborate on any experiences you have using them." You might find that interviewees dump so much information on you about encryption that you can't get them to shut up.
Let's make like a bird... and get the flock outta here.
Honestly, why would you need to reverse a linked list in a real application?
Hell, if you knew you were going to have to traverse it in reverse at some point, why didn't you just make it a doubly linked list in the first place?
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
If a company gets more applications for a position than it can deal with, it's going to filter them down. The hiring manager's job is to get somebody good with reasonable effort, not to get the best regardless of cost, and high school dropouts are generally unlikely to be all that good.
Nor do I know that you're any good. You are certainly confident, which is in my experience more likely Dunning-Kruger than genuine expertise. The best people I've worked with have been at least somewhat modest, because they have had a clue as to a whole lot of things they didn't know. Your confidence and possible social skills may be getting you jobs that you really can't do well, and don't realize you aren't doing well. Convincing people that you're an MBA is not something a typical developer does, those being different skills.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
FWIW, I think that's a mistake. Why trust the opaque "encryption" feature of the application like Excel or acrobat when you can use something well-proven?
Unless you only want to dissuade casual observation, in which case any number of simple methods may work that involve no encryption.
-josh
Exactly the submitter's problem. He doesn't realize that PDF and Excel both have built in file encryption as part of their formats. Even Zip does as well!
If he phrased his question differently, he'd get a different answer. "How would I securely encrypt an arbitrary file" - that's a very different problem then most business users who simply need to send a PDF or XLS with private details to a client or someone else in the office.
I'm out of my mind right now, but feel free to leave a message.....
The beauty of this post is that in 2 sentences you have just educated any readers lacking this knowledge to the point that the OP's interview question could be answered.
This is the danger of specific knowledge questions. Knowing the answer of the top of your head is largely immaterial. Google is just a finger stroke away. And thanks to JITC (Just in time Comprehension) specific knowledge is less critical than general knowledge and thought process.
I have a couple of things I like to look for in an interview. I like to know what a person is passionate about. A person who really enjoys coding, who works on open source projects on the side, does game mods, toys with the latest new technologies, etc... is likely someone who is always going to be pushing for a better solution.
I also have a white board exercise I like to do because it has an easy answer but can be thrown a curve ball based on inputs. Most folks miss the curve ball, so when we point it out, we can see how they debug code.
Those two general points helped to form one of the greatest development teams I've ever worked with. There were days where it took a lot of cat herding to keep some of them on task, but most of the time, you put a problem in front of them, and they will attack it with vigor and get you a solid product at the end of the day.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Meh. I wouldn't hire you because you come across as an arrogant prick who thinks he knows better than everyone else. That's a team dynamic issue, which is every bit as important as what you can or can't do technically.
That aside, your general point is sound - what matters is the person not what certifications they have. However, as others have mentioned there is a value to a (good) formal CS education, at least for the work I do. Self taught people tend to learn the minimum needed to solve the problem they face. There's a whole bucket of academic stuff (logic, complexity, stats) that don't often fall into that category but which are really useful as background knowledge. Someone teaching themselves python or ruby is unlikely to spend much time learning about CPU cache design, but that can be surprisingly useful when it comes to optimizing stuff. Just examples, there are always exceptions :)
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"