 |
|
Recent
Articles |
Truthy Statements About Access To Source Code
It was a long weekend here in the Toronto and I met up with two friends from university. They told me of a "guaranteed" system for winning at Blackjack that they had discovered. I won't get into the details of the...
Looking At The State Of Web 2.0 Security
Some of the commentary back on this blog is that the state of Web 2.0 security is in relatively poor shape, and as we have gone through a lot of the code available from larger companies, everyone approaching web...
Diary of a Tired CTO
I did the following things this month. Met fourteen different IT vendors who gave an impressive high impact presentation on how their products and services services can guarantee cost effective, cutting edge, optimized, and seamless, business value in tune with our...
Value Chains, Networks, And Shops
Finally, I have in hand a paper with some theoretical clarity regarding value chains, networks, and shops. That paper is Stabell & Fjeldstad, "Configuring Value for Competitive Advantage: On Chains, Shops, and Networks." (I am not sure how long that link will...
How Process Change Will Save Huge Dough7
Lets assume we are Joe IT guy in the ABC company - an upper middle market company with a few thousand employees, a dozen sites, and all the problems folks like us deal with. We run our transactional production systems and our distributed windows stuff. We have...
Bandwidth Needs Rise As DDoS Attacks Grow In...
Distributed Denial of Service (DDoS) attacks are an increasing concern of online organizations. In a DDoS attack, compromised PCs controlled by remote attackers, or botnets, inundate a network with the intent to...
|
|
 |
|
08.21.07
Questions For Interviewing Your Next Security Engineer
 By
Dan Morrill
This is going to be completely biased in favor of a security engineer that is not tightly wound around military grade information security for everyone at all times.
Most interview questions are really about both sides being on their best behavior, with the candidate that is looking for a job, and a company that is looking for someone who is capable of working miracles with little or nothing to perform the trick with. These are also biased in favor of people who can get along with people, and to find out how flexible the interviewee is in terms of thinking outside the box. Those are the biases inherent in these interview questions.
1. Someone wants to test out a new product that works on a wireless network, how would you advise them to test out the product?
a. This will give the interviewer a really good idea on how well wireless security is known by the candidate as well as how much they are willing to work with the business to test the new product. If they come up with a clean segregated network to test on that does not touch the main corporate network, or links to the internet in a DMZ type situation, that is promising. If they ask for a Faraday Cage, you might not have a winner here.
2. The business team has developed this brand new web site that you just tested and found a number of XSS errors in, how would you handle that?
a. This will let the interviewer know if the candidate has any idea about web security and development. If they offer to work with the developers to solve the issue you have a good candidate, if the candidate says it is the developer's problem, and that they cannot help them or the business, then this might not be the candidate for you.
3. This is a standard security question, everyone is going to ask this one, "Design a secure network" but you can add some spins on it to see how the candidate thinks, like design a secure network between two offices that is also optimized or has QoS for various protocols.
a. This leading question should start an interesting conversation about how to link two offices together, how to secure things at the protocol stack, and how to best implement a VPN solution. You do this kind of work with your trusted trading partners every day, your new security person should know how to do this. If they do, then you have a winner, if they don't then you don't.
4. Ask them their Blog URL
a. First of all if they have a blog then you need to know what they blog about, if they blog about tech that means they live, eat and breath this stuff, and that is good. If they are slamming on their co-workers, families, friends, or general how they pulled one over on someone, this might not be the person for you.
Continue reading this article.
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
