11

Does anyone know of a short security quiz that could be administered online, to test the security knowledge of a developer? I'm looking for something simple to administer and simple to grade, ideally something that would take a developer only a few minutes, as a screening tool to differentiate folks who have no experience with security from those who have at least a minimum level of knowledge/experience.

Ideally, this would test knowledge of security problems in web application code (most especially, PHP code, but others would be useful too).

Does anyone know of anything like this? Or even something that's in this general space? Alternatively, does anyone have any experience with designing or using such a quiz?

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • I think a quiz might be a tricky one in terms of keeping on topic here, or indeed answerable on SE at all. It could be very time localised, as much of infosec changes with time, however high level concepts remain valid. Wonder if this question can be changed round to remove this potential problem. – Rory Alsop Jun 07 '12 at 12:29

2 Answers2

7

Use DVWA or Mutillidae, get them to fix the code, then demonstrate pre/post fix behavior? Perhaps a little more complex than you were thinking, but it would also prove their coding ability.

Or, if this is too much, get them to go through DVWA at lowest security settings, looking for certain data? (get usernames, login without creds, etc.) You could even reduce the quiz to asking a single question? "What is the admin's password?" It won't test their coding knowledge, but how to test for insecure coding practices.

Full disclosure: I have not used these as a quiz.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • I agree with shroeder here. **Hands on testing** is the only way to go. Put them in a lab with a vulnerable application and tell them to find, exploit, fix, and document it (practically, whatever subset of those they have time to do). – chao-mu Jun 25 '12 at 18:37