Chapter 9: Recruitment

When trying to find and hire new Developers there are some guidelines you should take into account. If your job listing is focused too much on listing technologies you use and years of experience needed with those technologies you may be attracting the wrong kind of Developers. Just because someone can tick all the boxes doesn’t mean they will be the right fit for your team.

When writing your job listing it is better to focus on what type of person will be the best fit for your team, emphasize the responsibilities they will be need to undertake when working for you, and talk about what type of environment a potential hire will be working in.

Following these rules can help you attract Software Craftsmen that will become valuable assets in the future.

Chapter 10: Interviewing Software Craftsmen

The interview process is used by both the Company hiring and the potential hire to ascertain whether the relationship they will forge will be beneficial for both parties. The Developer in the interview is trying to see if the Company he is applying to will help his career and reputation. While, the Company is gauging whether the Developer will be useful to their ends.

When conducting an interview the Hiring Company should make sure that a candidate is passionate about their job. They should look for the ways a candidate describes their past jobs. What successes they and what failures they overcame. The candidate should also be eager to learn about the Company they are trying to get into. They should ask pertinent questions that help show they are interested in the work they will be doing.

On the other hand, a perspective candidate needs to see whether the hiring company is really a place he/she wants to work at. You can start by finding out who the interviewer is. Hopefully the person interviewing you is another developer that, if you are hired, you will be working with. If the interviewer is reading off a list and not asking broad questions that may mean that they don’t really value your opinions and are just looking for a person that will follow orders.

From the blog CS@Worcester – Dan's CS Blog by volk676 and used with permission of the author. All other rights reserved by the author.

An XML External Entity vulnerability is used to attack a program that uses XML files from an external source. If executed properly, an attack can let you view the contents of files on a host system. The way this is done is using entity’s in XML which essentially act as variables.
For example:

<?xml version=”1.0″ ?>
<!DOCTYPE student [
<!ELEMENTstudent ANY>
<!ENTITY student “Daniel Mahoney”>
]>
<student>&student;</student>

In the above code any use of the entity student will be replaced with “Daniel Mahoney” when the XML is parsed.

<?xml version=”1.0″ ?>
<!DOCTYPE passwd [
<!ELEMENT passwd ANY>
<!ENTITY passwd SYSTEM “file:///etc/passwd”>
]>
<passwd>&passwd;</passwd>

Adding SYSTEM to the entity now allows you to print out the contents of a file on the host system. This can be used to get sensitive information and, if the file being read provides infinite output, can be used for Denial of Service attacks.

The best way to protect yourself from these attacks is to turn off external entity parsing in the config of whatever software you have.

From the blog CS@Worcester – Site Title by volk676 and used with permission of the author. All other rights reserved by the author.

A Buffer Overflow is when information is written into a buffer that is to small to held and memory next to the buffer is overwritten.  Buffer overflows are usually associated with the C programming language because there is no array bounds checking. Buffer Overflows can be used by an attacker to run malicious code by overwriting it after overflowing the buffer. To combat such an attack a programmer needs to always be aware where “buffers” are initialized and if there are checks in the code that make sure that the buffer is not exceeded.

From the blog CS@Worcester – Site Title by volk676 and used with permission of the author. All other rights reserved by the author.