• HubertManne@kbin.social
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    Just another reason to not be doing any work before your paid. They can ask questions or do something static.

  • prof@infosec.pub
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 months ago

    It’s sad that this works. You’d think especially software professionals would be the most vigilant about running unknown code.

    • lad@programming.dev
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      Professionals in software development do not mean professionals in cyber security.

      Same way you don’t expect a geologist to be a mason

      • prof@infosec.pub
        link
        fedilink
        English
        arrow-up
        0
        ·
        6 months ago

        That’s a bad take. Unless you get your knowledge purely from shady tutorials or have a fast track bootcamp education, it’s unlikely you never touch on security basics.

        I’m a software design undergrad and had to take IT Sec classes. Other profs also touched on how to safely handle dependencies and such.

        While IT Security is its own specialisation, blindly trusting source code others provide you with is something a good programmer shouldn’t do.

        If you need a metaphor: Just because a woodworker specialises in tables, doesn’t mean they can’t build a chair.

        • Dra@lemmy.zip
          link
          fedilink
          English
          arrow-up
          0
          ·
          6 months ago

          You are young and blissfully naive. Sec being included with development is a recent thing

        • lad@programming.dev
          link
          fedilink
          English
          arrow-up
          0
          ·
          6 months ago

          I graduated in CS in this century and we never touched on security. If not for my own curiosity and obligatory annual compliance education on the job (and only on the last one) I would have known near nothing

        • expr@programming.dev
          link
          fedilink
          English
          arrow-up
          0
          ·
          6 months ago

          In my experience, your average software developer has absolutely terrible security hygiene. It’s why you see countless instances of private keys copy/pasted into public GitHub repos or the seemingly daily occurrences of massive data breaches.

          My undergrad in CS (which I should point out, is still by far the most common major for software engineers) did not require a security course, and I’m fairly confident that this is pretty typical. To be honest, I wouldn’t have trusted any of my CS professors to know the first thing about security. It’s a completely different field and something that generally requires a lot of practical experience. The closest we ever got was an explanation of asymmetric vs. symmetric encryption. There was certainly no discussion of even basic things like how to properly manage secrets or authn best practices.

          Everything I know now as a senior software engineer about software security has come from experience on the job. I’ve been very fortunate to work at some places that take it very seriously (including a government contractor writing cybersecurity software for the Department of Defense) and learned a lot there. But a lot of shops don’t have a culture that promotes good security hygiene, and it shows in the litany of insecure software out in the wild today.

      • prof@infosec.pub
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        6 months ago

        Makes sense, I feel bad for the guys that were happy for a chance and got screwed over. (By the hackers, not you, haha)

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          6 months ago

          Some tips for people, real companies won’t:

          • ask you to buy anything and get reimbursed later to start a job
          • require personal info like SSN in the interview process (will be handled by a separate HR process)
          • offer you a job during the first interview

          Be careful out there!

          • Veloxization@yiffit.net
            link
            fedilink
            English
            arrow-up
            0
            ·
            6 months ago

            I’ve gotten offered a job on the first interview and I worked there for a while. Then again, that was not in my field of IT and was a part-time job with a well-known company, alongside studies. So while it can be a red flag, it’s not always. Depends on the situation. Just stay vigilant.

          • Echo Dot@feddit.uk
            link
            fedilink
            English
            arrow-up
            0
            ·
            6 months ago

            I’ve been offered a job during the interview. But I did think it was super sketchy and didn’t take it.

            But honestly it was more of a red flag of them just being desperate than anything dodgy going on. They really weren’t prepared to pay that much money, so they wanted to offer people jobs so they wouldn’t think about it.

          • poo@lemmy.world
            link
            fedilink
            English
            arrow-up
            0
            ·
            6 months ago

            Regarding that last one, my last job actually happened because I was made an offer during the first interview before even doing any sort of technical or programming test…

            … of course most of the developers there were awful, so I wish they had.

            It’s almost as if technical interviews are extremely important in vetting applicants…

            • Dark Arc@social.packetloss.gg
              link
              fedilink
              English
              arrow-up
              0
              ·
              6 months ago

              Regarding that last one, my last job actually happened because I was made an offer during the first interview

              Probably better stated as a red flag not necessarily “they’re not real.” Usually the folks at the company will want at least a little bit of time to think over the interview and discuss.

              It’s almost as if technical interviews are extremely important in vetting applicants

              It depends, good references and prior work can top “technical interviews” in my book. If someone’s done something interesting a conversation about that interesting thing is often far more useful.

              Technical interviews are more important when you’re looking at people fresh out of college or a code bootcamp.

    • sugar_in_your_tea@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      Yeah, I was pretty skeptical with my current job:

      1. Recruiter contacted me, I didn’t contact them
      2. Interview done by Indians, full remote
      3. I had never heard of the company

      But everything checked out, and I love the job. It’s not a tech company, but it has the best parts of one (proper AGILE processes, separated QA, dev, and devOPs roles, modem tech stack, etc).

      So be careful of scams, but not so careful you miss out on great opportunities.

      • PlantJam@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        6 months ago

        Being a developer at a non tech company is great. My role tends to blur between salesforce amin and developer, but that’s partly because of the small size of the company (less than 100 employees total, less than 10 in IT).

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          6 months ago

          We’re a bigger company (publicly traded outside the US, thousands of employees), but we’re a manufacturer, so most of the headcount is blue collar. Our department is medium sized (about 30 full time, plus about 20 from outside firms), so it feels like a smallish company with large company benefits.

          It’s a nice niche. It doesn’t pay as well as the big tech companies, but I almost never work more than 8 hours and frequently less. It’s pretty chill and has great work/life balance. I work in office 2x/week and remote the other two days.

          It’s a pretty decent gig, but definitely seemed sketchy when I joined (I was like the fifth FT employee, so most of the headcount was in another hemisphere). No regrets, but I was watching my paychecks pretty closely for a month or so to make sure they didn’t pull anything weird (to be fair, I was hired full remote during COVID).

      • bitwolf@lemmy.one
        link
        fedilink
        English
        arrow-up
        0
        ·
        6 months ago

        Are they still looking for talent?

        My current job is taking advantage of the market and drastically changing things for the worse and I’m feeling stuck, far away from my family and friends.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          6 months ago

          Yeah, we’re almost always hiring. We currently have positions for a mid level to senior BE (Python), senior devOPs (AWS and preferably coding exp), and mid level QA (Java testing). We’re hoping to build another complete team once we fill those other positions (so 2-3 BE, 2-3 FE).

          However, I’d prefer not to disclose who I work for exactly, nor can I give a recommendation online, but I work for a company in Utah near SLC, and we expect hires to be local.

          But I highly doubt my company is particularly unique. Tech is tough right now, so look around at non-tech companies that are hiring for tech roles, you might just find a gem. :)

      • expr@programming.dev
        link
        fedilink
        English
        arrow-up
        0
        ·
        6 months ago
        1. Is pretty standard in the industry for people with experience. I haven’t actually applied to any jobs myself in a while. Job hunting for me is sifting through the recruiter messages that hit my inbox.
        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          6 months ago

          Yup, a lot are nonsense though. There are so many that are like “we want you to come work with us,” and then I can and it’s no different than me sending in a resume normally, they just want to expand their hiring pool.

          But whatever, I hate looking for jobs, so it’s nice that I didn’t have to try to hard this time.