Phase.org

I recently spent a considerable amount of time interviewing candidates for a Senior Developer role. One of the main things I wanted to be sure of before they even passed the first interview was that they knew how to write clean, secure code.

Rather than take a large slice of time out in the first interview to *create* such code, I decided to write a piece of well-meaning but lethally dangerous PHP code such as a beginner might create, and ask for their comments on it. Now that I've finished interviewing (for this batch of developers at least) I thought I'd release that code with annotations.

It should be a useful example to anyone who wants to make their PHP secure, as it displays most of the common PHP security mistakes in about 40 lines, as well as a few more general beginner's errors.

I found out a number of very interesting things while interviewing:

• Giving interviews is (by the 10th or so) harder work than taking them.
• A lot of candidates assume that a "Senior PHP Developer" is a project manager who doesn't need to be able to understand or audit the code produced by his* minions.
• Far too many "Senior Developers" with significant commercial experience don't know about security issues. This probably explains why so many websites get hacked.
• The greater a candidate's involvement in the online community, the more they tended to know and care about security. One of the key things I was looking for was developers for whom PHP was more than a 9-5 job, and this experience very much justified that requirement.

As it happens I found out more about each candidate's security knowledge in the 10-15 minutes this test took than from 2-3 hours of pair coding in the second round interviews. From that, however, I learned a lot more about their own coding styles and personalities.

The moral of the story? Never hire a coder from his CV; make sure he's taken a real-world technical test first, with someone who can really evaluate the results at a higher technical level. Personally I'm unconvinced by memory-test, learn-by-rote certifications that are evaluated by computers; I'd rather draw my own conclusions about a developer.

* There were no female candidates. Coding, it seems, is still very male-dominated.