As part of the interview process for our intern program, we asked candidates to prepare a couple slides and write a short blog post on a technical subject. Rich and I debated different subjects for the candidates to research and report on, but we both chose “XML Security”. It is a very broad subject that gave the candidates some latitude, and there was not too much research out there to read up on. It also happened to be a subject that neither Rich nor I had researched prior to the interviews. We did not want to bring biases to the subject, and we wanted to focus on presentation rather than content, to see where the candidates led us. This was not to be a full-blown research effort where we expected the candidate to take a month to dig into the subject, but rather meant a cursory effort to identify the highlights. We figured it would take between 2-10 hours depending upon the candidate’s background.
Listening to the presentations by the candidates was fun as we had no idea what they would focus on or what viewpoint they would present. Each brought a different vision of what constituted XML security. Some focused on one aspect of the problem space, such as web security. Some provided an academic overview of XML issues, while others offered depth on seemingly random aspects. All of the presentation were different from each other, and far different than what I would have created, plus some of their statements were counter to my understanding of XML security issues. But the quality of the research was not really what was important – rather how they approached the task and communicated their findings. I cannot share those with you, but I found the subject interesting enough that I thought Securosis should provide some coverage on this topic, so I decided to go through the process myself.
The slide deck is in the research library for you to check out if it interests you. It’s not comprehensive, but I think it covers the basics. I probably would come in second if I had been part of the competition, so it’s lucky I have already been vetted. Per my Friday Summary comment, I may learn more from this process than the interns!
Reader interactions
3 Replies to “XML Security Overview”
Interesting approach for evaluating interns. I downloaded the pdf, however, and your conversion tool seems to have cropped off the edges of the pages. You might want to check into that, because some key parts are cut off.
@Brian … yeah, I have not been able to fix that yet, but looking into it.
Nice job Adrian! I actually had a lot of fun doing the write up and if you listen to the latest OWASP security podcast (with Gunnar Peterson) you’ll hear some other aspects to the topic (not that I agree with them all).
It’s too bad all of that other research (while not overly in-depth) has to stay behind lock-n-key.
Now my dilemma is musing over my first post topic, but I think I have a good one started for later this week!