As I mentioned in the last post, I was slated to interview a potential penetration tester.
At the appointed time, the guy walks in, with a voluminous stack of printouts of emails from various sources crediting his work.
Boy...was I impressed.A guy with close to 8 years of experience, well versed with both black box and white box, with experience on security focused code reviews, a member of a web app security group, exploits under his belt and what not ...
Still, I need to talk to him , assess his competencies.So, I write a few lines of code that creates an SQL query string on the fly using a fixed sized stack buffer, and ask for a review.
And then the punishment began.
He identified the buffer overflow . I asked him to explain the working of a buffer overflow.I got a "are you stupid" stare, and my candidate went on tangentially about a tool which can detect all "unsafe" function calls, and report it.I prompted him to focus on the question, he goes on again on a remarkable tool that he used ( No, he wasnt the author of the tool, but an user) to discover web app security vulnerabilities. Well done, I said and moved on...
"Explain to me an XSS".He jumped to it. He explained.And I listened.We went to a site which had a blatant "staring you on the face" XSS. He explained to me again that he uses yet another "tool" for detecting XSS, and wont be able to answer my question without access to his tool.
But then, I do look for a possible flash of brilliance from people I interview. You can't expect people to know everything, can you? So, I go back to the code , and ask him how to mitigate the buffer overflow.
The contrived code was something like this
int userExists( const char *name)
{
char buffer[1024];
sprintf(buffer,"select * from users where name='%s'",name);
return runQuery(buffer);
}
Solution...replace sprintf with
memcpy(buffer,name, strlen(name) - 1);
At this stage, I had two options...thank him for his time and interest, or pull my hair out.
I still have hair on my head...
Resume padding can only get you an interview.Beyond that, you gotta know your stuff dude...
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment