Hi,
I’m currently looking for a very good PHP programmer & 95% of all the people who respond say nothing about security.
I ask them an open ended question like:
“What are the top 4 things an excellent programmer does when creating an application?”
But I still get no response re: security.
What kind of question can I ask that will tell me 100% whether the programmer knows how to write secure code & lock the appl. down or not?
Thanks
Michelle
Also, can someone tell me what Codeigniter is?
Thanks
Michelle
CodeIgniter is open souce PHP Framework
Google is your friend 
and should give you enough info on it.
IN answer to your first question, you could ask that to all us of here and get a different answer, and they’d probably all be correct. The most important 4 things will change from contract to contract and customer to customer so IMHO theres no real way to define the responses you want to hear. For me the most important thing is always the relationship with the client and understanding what the client wants, from a €300 website to a €20,000 one, because more times than not they dont actually have a clue what they want or whats involved in getting it. :x
Why not just ask the question straight “What types of security do you build into your applications as standard” ?
If your after a high security locked down system, I’d firstly ask if you were going to host on your own servers, because if not, you aint gonna be “locked down”. Extreme answer … yes … but Im just proving a point. 
Sure any scripts should be secure against injection attacks, spam postings etc as a matter of course, but to be brutally frank if you dont know what your asking for you not really gonna know if Im thowing words at you or actually answering your question.
Id suggest therefore that you ask a straight question, we programmers are generally logical beings, we respond better to a straight questions than the curved variety :D.
If you ask vague and open-ended questions, then you’re going to get vague and open-ended answers. Instead, if you want to find out what a candidate knows about security, then just come right out and ask them what they know about security.
While I agree with you, if I asked that question in the hiring ad, anyone can just look up the answer, so clearly that doesn’t work.
As for you both assuming every programmer knows & implements tight security, well… I guess you don’t know all the programmers in the world.
When I hired programmers from both Russia & the Philippines to create an application for me years ago, I found out later on it was NOT locked down. Even the American guy who tried to fix all their mistakes didn’t talk to me once about the security of the application.
IMO, that’s the job of the programmer to educate the client in this area, not the other way around.
Michelle
Erm… I don’t think either I or Mandes assumed that. All either of us said is that if you want to ask about security, then don’t beat around the bush.
That’s fine if you don’t want to put the question in the hiring ad. Since you were posing questions to a potential candidate, I assumed you were in the interview stages.
Sure, no problem there. In your original post, you were talking about questioning a candidate during an interview, in which case you should already know the answers to your own questions, because the whole point is to test the candidate’s knowledge and skill.
I guess I’m still not making myself clear. I want to know if they actually know about security or lie & say they do.
IMO, if the person doesn’t address security in their bid, it’s safe to assume it’s not something they feel is important or they know how to do.
Before I interview, I need to know if they know security. I’m not going to waste my time interviewing if they don’t.
No I don’t know the answers to all my questions, if I did, I’d be an expert in security LOL I can only take other people’s answers & HOPE they person answering comes close to what I’m reading otherwise I’m screwed. And yes, that has happened before when asking bookkeepers questions, I had the answer in front of me & they answered in a totally different way. Then I was lost.
Michelle
To know that, you’d have to know about security yourself so you can judge the accuracy of what they say. If you’re not in a position to judge a bidder’s accuracy, then you’ll have to shop for contractors the same way you shop for a car mechanic—it largely comes down to a sense of trust.
Another option might be to find a highly qualified (and thus highly priced) contractor or agency, and use them for just two hours each week to audit the code produced by the cheaper contractor who’s doing the bulk of the work. That way, if they’re building junk, you can find out early and cut your losses.
Unfortunately, I don’t think that’s a safe assumption. In my experience, most non-technical clients are most persuaded by marketing jargon. Even top agencies here in the States will try to sell you with marketing jargon more so than technical details.
What your after seems to be a losing battle. Find someone who is experienced and recommended and go with it. Unless you learn all things associated with web development to the point you could deliver the project yourself it is all just fluff. What professional wants to be working with someone who doesn’t trust them and micro-managing even though they know nothing about the topic. I’ll tell you the kind… the kind producing the quality of work you would like to avoid. That is the impression you put off with questions like that. There is quit a bit of work available in this field and no one wants to work with difficult people besides overseas…
Unfortunately that’s out of the question for me.
Well as always, I’m the opposite LOL, I already know that a lot of them BS, so I’m looking to understand what they know technically.
Thanks for your pov.
Michelle
I don’t appreciate your “assumptions” at ALL. I feel they are condescending & way off the mark.
How you jump to the conclusion that I would micro manage someone just b/c I want to make sure I hire the right person & not get ripped off is beyond me. Your logic astounds me.
I have every right to want to protect myself & my company which does NOT mean I’m difficult. What an accusation!
Professional companies always screen their workers. I don’t know one real professional company that doesn’t.
It sounds to me like you want everything done YOUR way & if it’s not & you don’t control the company & their hiring process, you cause problems or run away. That’s the type of behavior I’d never go for because those types of workers are difficult to manage & cause way more stress than they are worth.
That’s why skill is ONLY part of the equation when hiring, the other part is their personality & communication skills or lack thereof.
Michelle
I wasnt talking about the ad, I was talking about the face to face (or at least a virtual) meeting/conference, If you place your faith in hiring staff without having a ‘live’ interview with them then this is probably your first mistake.
No, I only claim to know 89% of the programmers of the world.
And by the looks of it your in Toronto, where there are scores of perfectly good programmers, so why were you looking halfway round the world … price? … sorry but you buy cheap you get cheap, and thats life Im afraid. I assume that they gave you references that you checked out ?
And Im confused, you hired an Americain to fix problems with an application that was built by different programmers in different countries speaking different languages. The fact he was hired by you and never spoke to you of security would suggest that he wasnt hired to fix the security issues of which you speak, so you already had problems with site outside the security issue … how am I doing so far ? Then your complaining that this site had holes in its security, it sounds like it was a sham from the begining.
Absolutely NOT. You dont expect a mechanique to educate you in your car safety, or an electrician educate you in regulations pertaining to house wiring. You expect them to the their job properly, which comes down to finding someone you have trust in, that is open and that tells you the way it is and not just what you want to hear, and can give you solid references.
Now if you do know about cars or electrics then and only then are you in a position to question them on their knowledge and decide whether he is good enough to do the job you want.
If you want me (and I suspect most of the contract programmers here) to do a job you’ll get a price to do that job, but it wont include teaching you our job, the price will include the level of security that the programmer sees appropriate for that job. (unless the client has specified security levels that exceed those estimations in the contrat). If I see a hole in your specification I’ll plug it, if you asking for something thats really over the top I’ll tell you and explain why thats over the top in your situation and ask do you really want me to do that. But it certainly doesnt extend to educating you in my field of expertise.
As has been said by me in my first reply and by Jeff above also, if you dont know the problems yourself then you cant be the one asking the questions.