Interviewing software developers

Paladion
By Paladion

November 15, 2005

When do you get secure software? When your developers know how to write secure software. That is a no-brainer; yet how often have you quizzed your developers on application security while recruiting them? We present some questions to ask in your next interview in this article

The Interview

When do you get secure software? When your developers know how to write secure software. That is a no-brainer; yet how often have you quizzed your developers on application security while recruiting them? We present some questions to ask in your next interview in this article.

Ensure the developer is clear about the underlying HTTP requests:

  1. What is the best method to transmit sensitive data - GET requests or POST requests?
    Hint: POST is more secure than GET
    1. If sensitive data is transmitted in a GET request, they will appear in the browser history, will be recorded in the logs and are susceptible to shoulder surfing.
    2. The data in POST requests are not visible in History, web server logs or to shoulder surfers.

A lot of vulnerabilities revolve around validation - here are some important questions to ask:

  1. How would you validate inputs? What is the best way to do it?
  2. Should validation be done on client side, server side or both client and server side?
  3. By default, should all inputs be denied and only those inputs that are needed should be allowed?
  4. Should I create a database of bad inputs and deny them while allowing everything else?
  5. Should outputs also be validated? Why?

Hint: Reasons for having output validation in the application are;

    1. Adversaries rely on application outputs for attacks like Cross Site Scripting.
    2. Error messages are very useful for attackers to launch an attack.
  1. What are the advantages of using pre-compiled queries in SQL?
    Hint: Pre-compiled queries improve performance and security
    1. Performance improvement comes from the database re-using queries that have already been compiled first time.
    2. Security improvement comes from resilience against SQL Injection attacks: queries cannot be modified at run-time by SQL Injection anymore.

Quiz them on session management:

  1. What are the characteristics of a good session token:
    Hint: Good token should be:
    1. Random, not predictable
    2. Changed after successful login
    3. Invalidated after logout.
    4. Timed out after a period of inactivity.

Caching is another area critical to writing secure web applications:

  1. What’s good and bad about browser caches? How do you control caching from the application?
    Hint: Caching improves performance, but can affect security adversely if not done properly.
    1. Caching improves performance by not downloading content that has not changed. Caching is good for large public files, especially images.
    2. But, if pages with sensitive data get cached, a local attacker could steal it from the cache. Such web content could include sensitive customer information, like bank statements, account details etc.
    3. HTTP cache control directives like cache-control: no-store may be used to use the cache securely.

The purpose of this article is to help Project Managers recruit developers with the right mindset and a fundamental ability to think on security issues. Some developers might not know the answers to these questions directly; let them think and if they demonstrate the correct approach, half your battle is already won.


Tags: Best Practices

About

Paladion