Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: What Portion of Developers Are Bad At What They Do?

Posted by Soulskill on from the very-small-shell-scripts dept.

ramoneThePoolGuy writes: We are looking to fill a senior developer/architect position in our firm. I am disappointed with the applicants thus far, and quite frankly it has me worried about the quality of developers/engineers available to us. For instance, today I asked an engineer with 20+ years of experience to describe to me the basic process of public/private key encryption. This engineer had no clue. I asked another applicant a similar question: "Suppose you wanted to send me a file with very sensitive information, how would you encrypt it in such a way that I would decrypt it?" The person started off by asking me if it was an excel file, a PDF, etc. In general, I'm finding that an overwhelming number of developers I've interviewed have poor understanding of key concepts, especially when it comes to securing data. Are other firms experiencing this same dilemma in finding qualified applicants? (Quite frankly it scares me that some of these developers are building sites that need to be secure)"

19 of 809 comments (clear)

  1. It's a vast field.... by jawtheshark · · Score: 5, Informative
    It's a vast field, and expertise of people is usually just a subset. I'm not even sure what the answer you you expected was, but I'd say: I'd use your public key to encrypt the file to you and then send it to you. Personally, I wouldn't know which commands to invoke to do this, but I know that's the theory.

    So, should any developer know this? That is debatable. I've had very competent developers who had next to no clue about how DNS works. They could do their job just fine with that. Me? Personally, I'm not up to snuff with the finer points of SQL queries and all the joins that exists and when it makes sense to create an index, etc. Could I find out? Most likely, but I haven't had the need to recently.

    The problem is, that you are mapping your knowlegde to "what people must know". I used to do that too, and I probably still do often enough. The DNS example above didn't come from nowhere: I had the case, and I was really thinking "how could such a competent person not know this", but then this person could probably enlighten me about dozens of things I don't know well enough.

    It all comes down to what you define as "general knowgledge" for a developer should be and that is highly subjective.

    TL;DR Hiring people is hard. Especially, technical people.

    --
    Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
    1. Re:It's a vast field.... by Asmodae · · Score: 5, Insightful

      Indeed, it seems like if you're hiring for a very specific skill set, state that in the job req. If its a very narrow skillset and you want them to be up to speed from the get go, be prepared to pay a premium. Otherwise you might want to give more attention in the interview to what they can learn vs what they currently know. Especially in security related applications where things change all the time.

    2. Re:It's a vast field.... by jawtheshark · · Score: 5, Informative

      There are also a plethora of "technically correct" answers. You could say: "I scp the file to your server", where you presume the server is secure, and ssh is secure, so the documents confidentiality is guaranteed. (Upload the file using https works as an answer too). Hey, just connect to the companies VPN and copy the file to a Samba share. Valid too!
      The question of what kind of file it was, isn't even that dumb. I'm not familiar with PDF, but I could -for example- imagine there is a standard for encryption within PDF. Someone from with a document management background would most likely think of such solutions.

      --
      Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)
    3. Re:It's a vast field.... by AK+Marc · · Score: 5, Insightful

      You aren't evaluating candidates. You are making a common interviewing mistake and fishing for specific answers. You (wrongly) assume that a matching answer is a good answer.

      How many are bad? I'd say 15-20%. Same as every field. But you aren't looking for "not bad" you are looking for "does it the way I'd do". That's different. Why is file-level or transfer level encryption "wrong" for your question, and message-level encryption the only acceptable answer? I know plenty of people that would find your clumsy "email it" answer to be incompetent, and they'd look for SCP as the only correct answer.

      The fact that the candidate recognized that and tried to gather more information to give the right answer shouldn't be counted against him, as you did, but indicate that he's good at clarifying unclear requests (which is just about all of them).

      --
      Learn to love Alaska
    4. Re:It's a vast field.... by pugugly · · Score: 5, Informative

      No, you (Alice) encrypt with your private key, then encrypt with 'Bobs' public key, then Bob decrypts with his private key and again with Alice's public key.

      Thus Both Alice and Bob are authenticated, and no one besides Alice and Bob can intercept.

      Pug

      --
      An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
    5. Re:It's a vast field.... by Java+Pimp · · Score: 5, Interesting

      This. As someone who has 16 years under my belt I'm finding it more and more difficult to branch into areas which I've had little experience because to justify my salary I'm expected to already be an expert. Which is a shame because I have at least another 20 years of new technologies to learn before I retire.

      --
      Ascalante: Your bride is over 3,000 years old.
      Kull: She told me she was 19!
    6. Re:It's a vast field.... by Slashdot+Parent · · Score: 5, Insightful

      It all comes down to what you define as "general knowgledge" for a developer should be and that is highly subjective.

      Can I be snarky for a moment and just enjoy the irony of a sentence that wonders what should be considered to be "general knowledge", and it has the word "knowledge" misspelled? :) Continuing with the theme, I'm sure I just made a run-on or something in the midst of my pedantry.

      OK, back to business. This is a hard question to answer for a senior developer, what should be considered to be "general knowledge". I think that to be a successful developer at the senior level, you really need to know a little bit about a lot of things, and be able to look up what you don't know.

      By way of example, as a developer, if I were to see something like "192.168.0.0/24", I recognize that immediately as an IP address range in CIDR notation. Mind you, I have no earthly clue how to compute that range--I'm not a network guy--but I know what it is in the general sense. Enough to google for "CIDR calculator" in order to compute the range in a format that I understand.

      Part of being a developer is having a decent working knowledge of security concepts. Like "Oh, I'm sending a file across the public Internet. Someone could intercept that. I'd better protect it somehow with encryption." Maybe the developer doesn't quite know what type of encryption to use yet. Should the connection be encrypted, or the file? Or both? Is it required to verify the authenticity of the file? Should it be signed? Or is it good enough to verify the remote host? Or some type of login?

      Incidentally, I disagree with OP that the answer of "The person started off by asking me if it was an excel file, a PDF, etc." was totally unacceptable. Excel and the PDF standards both have encryption support, so if the "sensitive data" were an Excel file, the path of least resistance would be to pointy-clicky through the menu and click "Encrypt this here spreadsheet" (or whatever the command is). Likewise with the PDF, but with Acrobat instead. Of course this does not solve the general problem of "how do I protect sensitive data?", but maybe he doesn't want to bother looking up and verifying your public key, installing GPG or setting up S/MIME or whatever if a simple solution exists. If I were to send you a spreadsheet of salary data for the company, you can bet I'd just encrypt the fucker within excel and tell you the password via some other channel like the telephone.

      --
      They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
    7. Re:It's a vast field.... by thechemic · · Score: 5, Insightful

      You're asking "developers" questions about "information security" by using vaguely worded questions that even "information security" experts would need to clarify, and when you don't get the results you're looking for, you take to the internet and declare that you are "worried about the quality of developers/engineers". I am quite sure that many of your interviewees have left your facility worried about the leadership qualities at your firm as well.

      Try asking very broad open-ended questions such as, "Tell me about your general understanding of different types of encryption processes, and elaborate on any experiences you have using them." You might find that interviewees dump so much information on you about encryption that you can't get them to shut up.

      --
      Let's make like a bird... and get the flock outta here.
    8. Re:It's a vast field.... by lgw · · Score: 5, Funny

      You aren't evaluating candidates. You are making a common interviewing mistake and fishing for specific answers. You (wrongly) assume that a matching answer is a good answer.

      To put it another way, "what do I have in my pocket?" is not a legitimate riddle!

      --
      Socialism: a lie told by totalitarians and believed by fools.
  2. Did they ask if they could look it up? by sandytaru · · Score: 5, Insightful

    You don't need to hire experts right off the bat. What you want to hire is someone who recognizes that they don't know the answer, and tells you that, and then immediately says they'd go research it to find out. "Can I Google that?" is a perfectly valid answer sometimes. If you hire a person who knows how to learn whatever it is you need them to become an expert in, you'll have a new employee who is not only going to be a valuable asset for where you're hiring them, but also has the flexibility to expand to other areas when necessary.

    TL;DR: Stop looking for purple unicorns, and start looking for fast learners.

    --
    Occasionally living proof of the Ballmer peak.
  3. Physical encryption. by fahrbot-bot · · Score: 5, Funny

    "Suppose you wanted to send me a file with very sensitive information, how would you encrypt it in such a way that I would decrypt it?"

    I'd use a cross-cut shredder, then send it to you in a paper bag along with some Scotch tape. (You didn't specify how easy it needs to be to decrypt, especially if I include some random shredded pages in the mix.)

    Works for most types of files: Excel, PDF, etc...

    --
    It must have been something you assimilated. . . .
  4. About half are below average.... by QuietLagoon · · Score: 5, Funny

    And about half are above average.

  5. Re:Hopefully the applicants had a relevent backrou by Austerity+Empowers · · Score: 5, Insightful

    This is a problem I see in the entire STEM field. You work on technology X for a while, you learn it inside and out, and you expect everyone else who is "qualified" knows what you know. You want to hire someone with no ramp, who is going to drop in on day 1 and start doing great stuff, just as soon as he sets a password to his laptop.

    In practice the fields are so huge, that it's fairly unlikely anyone has the domain knowledge you've acquired in your niche, unless you hire direct from a competitor (in which case you better pay well, or be offering something huge). A more reasonable approach is to weed people out based on their general skillset (i.e. what they should have learned in school), based on resume lies, and general attitude and disposition: excessive use of the passive voice, reluctance to commit to anything, points in their discussion where they failed to pursue issues to the next level, excessive number of employers, etc. Then expect it's 6 months before they start producing something that doesn't require you to hit them for. If you're afraid they will leave in 6 months, you're not paying enough or else you hired an incompetent and he's doing you a favor.

  6. Re:But where/when does one explicitly learn securi by Lunix+Nutcase · · Score: 5, Funny

    You learn it on your own time at your own expense. Duh. You aren't one of those "freeloaders" that expect their employer to invest any of their time or money in the growth and career development of their employees do you?

  7. Re:Yes... by Grax · · Score: 5, Informative

    I keep hearing how hard it is to find good people but then the recruiters tell me that the potential employer can't meet my price point and that is the end of the discussion.

    --
    Coding Blog
  8. Re:This is stupid by michaelggreer · · Score: 5, Insightful

    Looks like all the comments are trending this way, and I agree. The interviewer seems to be looking to "defeat" his interviewees, which is a classic engineer social mistake. This guy likely shouldn't be a hiring manager.

  9. Asking the wrong questions, using the wrong metric by merick · · Score: 5, Informative

    I'm a web developer and I also haven an interest in understand public-private key crypto, PGP, steganography, physical security etc. The thing is, You don't need *any* of that to build good, secure websites. You should be asking about things from the OWASP Top 10 List if you want to gauge their ability to write secure code.

    https://www.owasp.org/index.ph...

    Otherwise you're judging them for not having the same "other" unrelated-to-your-job security interests as you.

    They should understand that they aren't trained enough to build their own authentication encryption systems correctly. They should use generally accepted procedures like BCrypting passwords with a unique per-user SALT that also uses a site-specific key. And that other sensitive fields should be blocked from being recorded in logs, data should be encrypted at rest, etc. But if they have poor OWASP skills, the sensitive data is still readable because it is accessed through the application which is decrypting it for an attacker.

    You're asking the wrong things and judging on unrelated skills.

  10. I'll let you in on a secret... by endus · · Score: 5, Insightful

    Almost everybody is extremely bad at their jobs. Especially in IT, but in general too. I would say a solid 85% of people working in IT today should not be in the field.

    I work in Security and so my job is basically to know, at a high level, how other people should do their jobs. Of course there are compromises that have to be made for functionality and cost, but in reality most IT systems are developed and architected in a way that no one should architect anything for any reason. The amount of money that's wasted because of poor infrastructure is astonishing. Companies could have an architecture that's twice as secure and probably half the cost to maintain if they were willing to make a one time investment in doing it properly.

    Developers are a weird animal too. I know I'm playing with fire saying this on Slashdot. :) In my experience developers have a deep understanding of how systems work and are designed (obviously), but their understanding is *extremely* narrow. This is by no means true of all developers, but it's true of a lot. They can write brilliant code, but they can't tell you how to go about FTP-ing a file, how to encrypt an email, or how a domain works. It's a specialized skill set.

    At a previous company I had to call support because my computer didn't grok with the domain and wasn't getting group policy. The tech, with her domain admin access, comes over and is obviously floundering trying to fix the problem. I suggest running a DOS command I know...she googles it and pulls it up...she gets to the command prompt and starts typing, "command\optionfoobar-x7", etc. How can you possibly be in that field and not know the *most basic structure* of a DOS command? I don't care if you know the command and options, everyone googles that crap, but you don't know how to type it in properly? A backslash and no spaces? Really? Even when you're looking at a webpage which has it verbatim?

    Its no wonder things are in the state they're in.

  11. What Portion of Companies Are Bad At What They Do? by dougg76 · · Score: 5, Insightful
    OP this might or might not apply to your situation

    I would like it flip it around and ask you why do you think your companies are actually worth working for? Are you going to employ us when we are 40, 50, 60+? Are you going to ask me a bunch of stupid questions even though I have 20 years of work in my portfolio? I just don't understand why its so acceptable for employers to be so arrogant in the IT world compared to other professions.

    • Do we ask medical professionals to play with putty during an interview to show us how they work?
    • Do we ask engineers to play with toothpicks and tape to build a bridge to assess their worthiness?
    • Do we ask a chef to make a cup of gravy? (they hate that)

    If companies really wanted good people they would:

    • Treat their current employees better.
    • Pay them market rate instead of rewarding job hopping.
    • Learn how to manage.
    • Build a reputation that will attract good talent.
    • Learn how to be professional.

    I have found that software development might be a decent job, but a horrible career. I'm going to go raise goats and make cheese (sorry ranting)

    --
    I laugh at inappropriate times.