Re: [SC-L] Questions asked on job interview for application security/penetration testing job
On Sat, Mar 21, 2009 at 2:43 PM, Matt Parsons mparsons1...@gmail.com wrote: I was asked the following questions on a job phone interview and wondered what the proper answers were. I was told their answers after the interview. I was also told that the answers to these questions were one or two word words. In the beginning of next week I will post what they told me were the proper answers. Any references would be greatly appreciated. Looks simple enough. Were there tricks to it? Some companies play games with these type of interviews. (Google) I empathize with brevity. Usually when people ramble too long in interviews they don't know what they are talking about (and are extra nervous because of this). So what are the word answers? 1. What are the security functions of SSL? Transport layer security. Asymmetric public key, symmetric private key, blah blah 2. What is a 0 by 90 bytes error. Error? 0x90 is NOP. A bunch of them make a good sled. 3. What is a digital signature, Not what it is? Authentication 4. What is the problem of having a predictable sequence of bits in TCP/IP? Session Prediction (leads to etc. etc.) 5. What is heap memory? Pooled memory dynamically allocated, no fixed-life 6. What is a system call? Software call to underlying OS function ( FileOpen()) 7. what is two factor authentication? Two of something you have, know, or are -- Arian Evans Let me issue and control a nation's money, and I care not who writes its laws --Mayer Amchel Rothschild ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Questions asked on job interview for application security/penetration testing job
Here are the answers that I was given for the following questions by a non-technical recruiter. 1. What are the security functions of SSL? Encryption and authentication 2. What is a 0 by 90 bytes error. Buffer over flow. 3. What is a digital signature, Not what it is? The senders message is encrypted with a sender's private key and attached like a signature to an encrypted message to ensure that the person is who he claims to be. The recipient uses the sender's public key to decrypt the signature. 4. What is the problem of having a predictable sequence of bits in TCP/IP? TCP/IP session hijacking I also thought it was man in the middle attack. 5. What is heap memory? A heap memory pool is an internal memory pool created at start-up that tasks use to dynamically allocate memory as needed. 6. What is a system call? Call from the operating system. 7. what is two factor authentication? Use of something you know, something you have, something you are. Thanks Matt Parsons Matt Parsons, CISSP From: Matt Parsons [mailto:mparsons1...@gmail.com] Sent: Saturday, March 21, 2009 4:44 PM To: 'Secure Code Mailing List' Subject: RE: Questions asked on job interview for application security/penetration testing job Ladies and gentlemen, I was asked the following questions on a job phone interview and wondered what the proper answers were. I was told their answers after the interview. I was also told that the answers to these questions were one or two word words. In the beginning of next week I will post what they told me were the proper answers. Any references would be greatly appreciated. 1. What are the security functions of SSL? 2. What is a 0 by 90 bytes error. 3. What is a digital signature, Not what it is? 4. What is the problem of having a predictable sequence of bits in TCP/IP? 5. What is heap memory? 6. What is a system call? 7. what is two factor authentication? Thanks Matt Matt Parsons, CISSP Parsons Software Security Consulting, LLC ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___