Testing potential developers and spotting bad PHP
I recently spent a considerable amount of time interviewing candidates for a Senior Developer role. One of the main things I wanted to be sure of before they even passed the first interview was that they knew how to write clean, secure code.
Rather than take a large slice of time out in the first interview to *create* such code, I decided to write a piece of well-meaning but lethally dangerous PHP code such as a beginner might create, and ask for their comments on it. Now that I've finished interviewing (for this batch of developers at least) I thought I'd release that code with annotations.
It should be a useful example to anyone who wants to make their PHP secure, as it displays most of the common PHP security mistakes in about 40 lines, as well as a few more general beginner's errors.
I found out a number of very interesting things while interviewing:
- Giving interviews is (by the 10th or so) harder work than taking them.
- A lot of candidates assume that a "Senior PHP Developer" is a project manager who doesn't need to be able to understand or audit the code produced by his* minions.
- Far too many "Senior Developers" with significant commercial experience don't know about security issues. This probably explains why so many websites get hacked.
- The greater a candidate's involvement in the online community, the more they tended to know and care about security. One of the key things I was looking for was developers for whom PHP was more than a 9-5 job, and this experience very much justified that requirement.
As it happens I found out more about each candidate's security knowledge in the 10-15 minutes this test took than from 2-3 hours of pair coding in the second round interviews. From that, however, I learned a lot more about their own coding styles and personalities.
The moral of the story? Never hire a coder from his CV; make sure he's taken a real-world technical test first, with someone who can really evaluate the results at a higher technical level. Personally I'm unconvinced by memory-test, learn-by-rote certifications that are evaluated by computers; I'd rather draw my own conclusions about a developer.
* There were no female candidates. Coding, it seems, is still very male-dominated.