Testing potential developers and spotting bad PHP

I recently spent a considerable amount of time interviewing candidates for a Senior Developer role. One of the main things I wanted to be sure of before they even passed the first interview was that they knew how to write clean, secure code.


Rather than take a large slice of time out in the first interview to *create* such code, I decided to write a piece of well-meaning but lethally dangerous PHP code such as a beginner might create, and ask for their comments on it. Now that I've finished interviewing (for this batch of developers at least) I thought I'd release that code with annotations.


It should be a useful example to anyone who wants to make their PHP secure, as it displays most of the common PHP security mistakes in about 40 lines, as well as a few more general beginner's errors.


I found out a number of very interesting things while interviewing:


  • Giving interviews is (by the 10th or so) harder work than taking them.

  • A lot of candidates assume that a "Senior PHP Developer" is a project manager who doesn't need to be able to understand or audit the code produced by his* minions.

  • Far too many "Senior Developers" with significant commercial experience don't know about security issues. This probably explains why so many websites get hacked.

  • The greater a candidate's involvement in the online community, the more they tended to know and care about security. One of the key things I was looking for was developers for whom PHP was more than a 9-5 job, and this experience very much justified that requirement.


As it happens I found out more about each candidate's security knowledge in the 10-15 minutes this test took than from 2-3 hours of pair coding in the second round interviews. From that, however, I learned a lot more about their own coding styles and personalities.


The moral of the story? Never hire a coder from his CV; make sure he's taken a real-world technical test first, with someone who can really evaluate the results at a higher technical level. Personally I'm unconvinced by memory-test, learn-by-rote certifications that are evaluated by computers; I'd rather draw my own conclusions about a developer.





* There were no female candidates. Coding, it seems, is still very male-dominated.

Posted by parsingphase, 2006-04-15 11:03

Anonymous user

Login

Blog

Contact

I'm currently available for contract work in London as a Senior PHP Developer. Contact me for a CV, rates, or a chat.

Twitter @parsingphase
Email richard@phase.org
Github parsingphase
LinkedIn Richard George
Flickr parsingphase