Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

The position is an entry-level position that consists of reading C++ code and id

ID: 653148 • Letter: T

Question

The position is an entry-level position that consists of reading C++ code and identifying lines of code that are vulnerable to buffer overflows, out-of-bounds reads, uncontrolled format strings, and a bunch of other CWE's.

We don't expect the average candidate to be knowledgeable in the area of software security nor do we expect him or her to be an expert computer programmer; we just expect them to be able to read the code and correctly identify vulnerabilities.

I guess I could ask them the typical interview questions: reverse a string, print a list of prime numbers, etc, but I'm not sure that their ability to write code under pressure (or lack thereof) tells me anything about their ability to read code.

Should I instead focus on testing their knowledge of C++? Ask them if they understand what a pointer is and how bitwise operators work? My only concern about asking that kind of question is that I might unfairly weed out people who don't happen to have the knowledge but have the ability to acquire it. After all, it's not like they will be writing a single line of code, and it's not like we are looking only for people who already know C++, since we are willing to train the right candidate. (It is true that I could ask those questions only to those candidates who claim to know C++, but I'd like to give the same "test" to everyone.)

Should I just focus on trying to get an idea of their level of intelligence? In other words, should I get them to talk and pay attention to the way they articulate their thoughts, and so on?

Explanation / Answer

I feel a disturbance in The Force when I read "entry-level position" and "reviewing code for security vulnerabilities" in close proximity to each other. Seriously. I've been grinding out code for 40 years and I still can screw up on stuff like this. The people doing code review for security problems need to be more experienced than the people who wrote the code in the first place.

You're far more likely to find actual buffer overflows and sanity-check failures by doing things like Fuzz testing than you are by hiring "entry-level position" programmers. This is the type of tool that actual Bad Guys

Related Questions

The population used in this exercise consists of 317 freshmen students enrolled
Question #3252122
The population will always be a) At least as large as b) Smaller than ANSWER the
Question #3047001
The population will be the ages of six people from your family or friends. The p
Question #3170944
The population will be the ages of six people from your family or friends. The p
Question #3171009
The population, P, of a certain species of yeast cells grows according to the mo
Question #2876821
The populations P (in thousands) of a certain city from 2000 through 2008 can be
Question #2912394
The populations P (in thousands) of a city from 2000 to 2003 can be modeled by P
Question #3016004
The populations of termites and spiders in a certain house are growing exponenti
Question #3014255
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
The position function x(t) of a particle moving along an x axis is x = 5.00 - 8.
Next
The position is relationship manager at a bank The position is relationship mana

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.