Tuesday, 2 July 2013

Interviewing APEX developers - Are your candidates security aware?

During our regular search for Oracle APEX security things, we stumbled across a blog post called: "Oracle Application Express (APEX) Interview Questions". Selecting the right candidates to fulfil your development requirement is always tricky, and the whole process of interviewing is a difficult thing to get right. There's a interesting book on how Google handle selection of candidates, although more recently Google have admitted that such techniques may be a waste of time.

We've interviewed candidates for a range of positions throughout our careers, sometimes these are just question based, and some had a technical assessment element. Best of all were the general discussions over a beer. So we like the ethos of the APEX interview questions blog post, as a guide to what should be talked over, but we think the security section could use a little refinement. Below we've listed fourteen questions that an interviewer could ask their candidates to judge their overall security awareness with Oracle APEX applications. The skill in assessing the candidate is perhaps not their complete and accurate responses to the questions, but how they handle difficult problems and their thought processes when problem solving.

Interview questions on Oracle APEX security:
  1. Discuss why allowing a user to set an item's value can, in some cases, be dangerous.
  2. Describe three ways an APEX item value can be set by a user.
  3. Explain how the different protection settings can be used to protect item values from being set by the user.
    -
  4. What class of vulnerability can be introduced by using substitution variables in SQL with APEX applications?
  5. Describe another way such security risks can be present in an APEX application.
    -
  6. What's the difference between a Standard Report Column and one that is set to Display as Text (escape special characters)?
  7. What type of vulnerability can result from using the former type?
  8. Why would you use a Standard Report Column rather than the other type?
  9. How can you ensure that the data displayed in a Standard Report Column is safe?
  10. Describe another way that this vulnerability class can be introduced into your APEX applications.
    -
  11. What's the difference between authentication and authorisation?
  12. Describe several policies that would normally be enforced for authentication?
  13. If you have a report in your APEX application that should only be accessible to certain users, how can you protect it?
  14. Which are the four things in APEX that can be protected with authorisation schemes?
Depending on the role we wouldn't expect every candidate to answer all of these questions. But it could prove useful to explore some of them to ensure that security awareness is part of the selection criteria when interviewing for APEX developers.

If you'd like to learn more about Oracle APEX security, check out our Hands-On Oracle Application Express Security eBook. Our US partners over at SkillBuilders also offer APEX specific security training. For answers to the above questions, contact us and we'll send over details.

No comments:

Post a Comment