1 security recruitment status

1.1 Highest salary

The Internet is the highest paid in the computer industry, and technical engineers are the highest paid in the Internet, and security engineers are the highest paid technical engineers. The explosion of the security industry makes the security department of every Internet enterprise become the standard and gradually spread. As the security major in universities has just begun to be popularized, the shortage of security employees and the high threshold for entry lead to the rise of salaries.

1.2 The good and the bad are mixed

Benefit is dedicated to the security, there will be more and more people, of course, the bad is also evident, worried of jobs and cause there are a lot of good and bad are intermingled of shortage of personnel in the fish in troubled waters, obvious characteristics is you told him about the technical details he advance landing with you chat, you chat with him on the ground he chat with you hold, you chat with his direction to control his team management with you chat, You talk to him about team management, and he talks to you about industry space. If you can talk about a little bit of all of these, that’s fine. More people will answer the question differently, or make sense but empty words are useless, or they will come to explain a concept to you tomorrow after hearing a theory today, although it may offend some people.

1.3 Circle Culture

Security is a small circle, the things in the circle spread very fast, such as who database leaked, who was fleeced, who was arrested, who was punished, this is also the biggest advantage of the circle, the circle of people quickly know the industry’s new technology, new direction, new policy.

You can easily know each company safety construction situation, for example you can talk with ali they offline coordination with the public security means how strong, also can and tencent chat they SRC so well how to operate, also can talk and baidu’s security people how to make the machine learning can assign security products, it is very easy in security circles. There are also a lot of safety meetings where you can learn from each company’s experience, and you don’t have to do everything by yourself.

Drawback is obvious, the so-called “circle culture”, mixed with various meetings to take the initiative to meet people of all circles (of course this is not referring to the operation of the various SRC classmate, these are operating students working part), know all kinds of people if that line communication technology, added WeChat greet in addition to the introduction of that sentence and I didn’t say anything meaningful, It’s ridiculous and pathetic to think you’re in the middle of the circle.

2. The necessary quality of safety practitioners

Basic engineer quality is the foundation of everything, on this basis, if you are good at attack and defense penetration and software development, interest driven and adaptive ability, you can well adapt to work challenges.

2.1 Penetration and software development

First of all, it is important to clarify the concept that it is not normal to specialize in the security industry. Security itself is a work covering the client side, front-end, network, back-end, server and other languages involving JavaScript, Python, PHP, Java and so on. If you have to pay attention to specialized skills, you can not do it. When you can be good at the direction, but the premise is that you understand, this knowledge should not stay at the understanding level. If you are a security development engineer, in addition to research and development skills, you must also know the formation reasons, utilization methods and repair schemes of common vulnerabilities. If you are an infiltration engineer, you must have basic development capabilities in addition to understanding the attack details of various vulnerabilities.

The person who has both penetration and software development will have a great advantage in all aspects of doing things in the future.

We have experienced very senior R & D engineers, but security products are different from user products, often have no experience and no reference, the best situation in the dark is that you have lived in this house, so often need to have a strong security background/constant trial and error adjustment to develop the best products.

Even in many cases, communication/thinking requires a shift in order to better collaborate, reduce the generation gap and communication costs. The requirement is not to be proficient.

The current situation is that more people in the security industry are inclined to attack and defense penetration, and if they have strong development skills at the same time, the advantage will be very obvious. In security product development/vulnerability mining/code audit.

Complementing each other is very important. A vulnerability scanner with a background in SRC, a code audit with a background in software development, and a compliance audit with a CISP certificate will be very handy.

2.2 Interest driven

Like security product development, penetration testing also needs continuous trial and error, pushing a variety of possible leak test one by one, often hundreds of requests to test something, it needs good insist, but insisted that this quality can’t learn at once, but often there are a lot of things can cause we insist on, such as interest.

My insistence on safety is driven by interest. I will encounter a clue from morning to early morning, and explore from night to afternoon for a breakthrough point. I’ve seen so many great white hats because of love, they can cross industry love.

2.3 Adaptability

Software engineers switch to new technology every three years, while security engineers move in a new direction every year. There will be new vulnerabilities/new attack methods/new language vulnerabilities every day, and there will be new security technologies, security defense means and security directions every year. There is no other way to deal with them but to learn. Good self-learning ability is the foundation of everything.

3. Safety interview and written test

How to identify some impostor effectively, the most important thing is definitely the interview hurdle. Everyone in the industry can talk about something in the security circle, so a round of interviews must be personally checked by the head of security technology, in-depth ask details to judge.

3.1 Interview notes

Ahead of the interview appointment time and interview (phone/field) on time to participate in the interview, there are things should telephone communication in place ahead of schedule Interview grasp rhythm, timely stop babbling, interview don’t ask, don’t leave a pause for more as a man of few words/didn’t reveal sensitive information Even though only about one minute think the interviewer is not appropriate, and should not be immediately hang up, the interview should be not less than 20 minutes

3.2 Interview Process

Tell me about yourself, the projects and skills you’ve worked on. Observe your conversation, see if your thinking logic is organized, whether your communication is smooth, whether your personality type is appropriate. Ask questions in detail about the projects you’ve worked on. Questions can be selected from 3.2 to investigate project authenticity, project role and division of labor. How to understand the project, how to master the project, how to think and other problems that cannot be solved? CTF, write technical blog, technical books, participate in GitHub open source project, frequently browse websites, games, TV dramas, what to do in spare time, and talents in the industry show their technical popularity algorithm, front-end and server mastery degree. Some basic algorithms. For example, quicksort, bubble sort, selection sort, insertion sort some machine learning algorithms, CNN, RNN, Tensorflow, captcha recognition and so on front-end JavaScript, HTML, CSS, debugging tools, Code commonly used commands, such as server configuration, file permissions, process stack, port occupy, abnormal log, etc Think oneself advantage than people around you Mining, how to see myself objectively the disadvantage of thought Objective self-evaluation and they do not have the drawback of the fundamental values can not the most rewarding thing to investigate, Especially for some unauthorized penetration or even black ash production of the attitude of the future career planning? Do you have a clear career plan and long-term thinking about your future? Is there anything else you would like to ask me about the suitability of your current position? Understand the interviewer’s main concerns

3.3 Interview Questions

Penetration Testing (Web direction)

Select two to four common and uncommon vulnerabilities in different directions, ask questions about the principle of vulnerability, utilization methods and repair schemes, and then ask detailed and in-depth questions based on the answers. How does Redis exploit unauthorized access vulnerability? SSRF Vulnerability principle, utilization method and repair scheme? SSRF differences between Java and PHP? How to exploit wide-byte injection vulnerability and how to fix it? Describe the business significance of JSONP, how to use JSONP hijacking and how to fix it? CRLF injection principle? URL whitelist bypass? XSS persistence? Penetration of the whole process on the detection of vulnerabilities to ask questions how to detect the problem of overstepping their authority? How does a black box detect XSS vulnerabilities? How about crawling more requests? Emergency thinking what kinds of backdoor implementation? What are the methods of Webshell detection? If a Linux server is affected by a Trojan horse, please describe the emergency response. How do YOU respond to a new 0day(such as Struts2)? In what directions can a new service be evaluated before it is launched? In what directions can the existing system be audited to discover security risks? Python decorators, iterators, generators, and application scenarios Describe the differences and application scenarios between Python processes, threads, and coroutines. Secure Development (Java direction)

Java based

How is the Java VIRTUAL machine area divided? What is the difference between HashMap and HashTable or ConcurrentHashMap? What are the different ways of communication between processes and threads? What is Java BIO/NIO/AIO? What scenarios are applicable? Algorithm based quicksort process and complexity? The process and complexity of bubble sort? CNN vs. RNN? Basic service debugging tools and troubleshooting process? Database index structures. when should a unique index be created? How to write database page statements? Service security HTTPS interaction process and possible misconfiguration security risks OAuth2.0 Interaction process and possible configuration security risks The differences, advantages and disadvantages of symmetric encryption and asymmetric encryption What should I pay attention to when requesting the content of a URL address? How should parameters be filtered before being stored? Filter and interceptor principles and application scenarios? How can SESSION ids not be read by Javascript? How is the Token of CSRF designed? Same-origin policy? How are cross-domain requests implemented? Safe Operation (Compliance audit direction)

Understanding of the internal control, compliance, audit inspection for thing to do and job requirements, the company environment matches on the overall investigation considering whether full or partial difference between traditional industry and the safety of the construction of the Internet industry and the advantages and disadvantages of each can accurately grasp the core reason Level to protect information security, network security, GDPR Choose one or two to ask its understanding of its sources and landing degree of choice data security governance can be done with what ideas? How to realize automatic monitoring of abnormal operation through technical means? How to evaluate the security of an application? How do I audit an application? How to understand permission separation and permission minimization? Investigate some CISP, CISSP knowledge points process design select some more complex processes, such as post transfer, dimission, etc., how to design and consider the details of the security architecture (security management direction) penetration testing, security research and development, security operation questions can be selected to ask some, In order to ensure that in all directions more balanced for different periods, different stages, different volumes of enterprise security construction methods, differences and focus on the security architecture diagram you have done and expected security architecture security and other teams (operation and maintenance, RESEARCH and development, testing, GR/PR, internal control, senior management and tripartite security companies) Concept/Methodology of security construction Understanding Depth Defense barrel principle From the outside in First Low then top Ability To speak out minimum permission Separation of whitelist and blacklist vulnerabilities and false positive rules Experience and machine learning vulnerability hazard Proof The relationship between technology control and awareness raising Security Promotion method Developed OR developed from outside? Identify the overall core goals and the main goals of each project innovation and ultimate responsibility sharing black swan and gray rhino measure the level of safety construction in the enterprise what are the differences or differences in safety between different companies? For example, Tencent and Ali, Baidu and JINGdong how to develop the company’s security construction of three or even five years of future development direction of the security industry?

3.4 Written Questions

Interview questions are often similar, and because the circle is small, it is easy to spread, if prepared even in-depth questions may slip through the net. And the written test can often be very good to see its hands-on ability, so should as far as possible out of some can not predict in advance, can not be online query exclusive topics, topics can focus on the development, debugging, data operation and other aspects. Penetration testing direction

Given an anonymous access to Redis, please GET SHELL to perform security assessment for a project scenario. API interaction with third party vendors) software development direction

Read lines 100-200 of a file and send it to a specified API (with special consideration for exceptions). The fastest way to get the response to a million subdomain requests is to find out which subdomain data structures actually exist in them

Given an array [3,4,5,6,2,1,8], enter all tuples whose sum is 8. Each number can only be used once with variable array length considering time complexity and space complexity for maximum efficiency

4 Recruitment channels

4.1 Internal recommendation

Insourcing is better than recruiting websites or headhunters, and just like finding a girlfriend, acquaintance referrals are better than matchmakers, not to mention the quality of dating sites. For middle and high-end positions, companies need to pay higher headhunting fees, so the internal promotion channel is better than all others. Find the company you prefer and the position you want to hire. Pay attention to the match between the position and your skills and career development. Find the employees in the corresponding company and ask for internal recommendation

4.2 Recruitment website for security industry

If you don’t have the right target, go to job boards. FreeBuf – Security industry vertical recruitment website hook – Internet vertical recruitment BOSS zhiping – person-in-charge 1 to 1 Hunting recruitment – Headhunting recruitment Zhaopin.com, 51job.com, LinkedIn

5. A Good resume

By the way, what is a good resume, of course, all the premise is true to work.

The whole should be concise and clear, logical structure is clear. Demonstrate knowledge, skills, experience, talent, connections.

· Clear basic information: name, ID, gender, age, graduated university · major, telephone number, email address, place of residence Work & Project Experience: Pay attention to gap period, role and division of labor, industry popularity of the company Professional certificates, awards, conference sharing, open source projects, etc. Job expectation and direction: What kind of job do you want to get or what direction do you want to focus on Personal Evaluation: a comprehensive summary, showing your professional skills, highlights, advantages, etc. Plus, it’s PDF format, it’s simple, it’s not fancy, you have GitHub, you’ve worked on open source projects, you can write small projects you’ve done and put them on your blog, Use Gmail, FoxMail, technical email (php.net), private domain email, etc. Ask the interviewer what they think of you and what can be improved