Tuesday, November 09, 2010

My Common Interview Questions… Technical and Introspective

With all this focus I’ve had on finding another job, I started to look at the questions, and standards I have when interviewing a candidate in my company.  My upper management doesn’t like my questions, because I tend to lean more towards the computer science/software engineering side of the candidates skill set. Where my management would rather me evaluate their ability to show up to work on time (not that I’m bitter or anything). You see, I work for a service based company. One that get’s paid for “warm bodies”. They don’t have a large amount of pride and discipline for the engineering craft. Which is one of the main reasons I am looking for another job.

Anyway, I digress, my focus on what I bring to an interview, has been improved by my own interview questions. I like to use these to determine if someone is as average a web geek as I am.  I've collected a bunch of questions that are technical, but also inquire about the candidate’s professional and technical personality.

General Questions:

  • What sort of websites, blogs, and/or user forums do you follow? This is an open question, and there is no right answer. But anyone who is claiming to be technical should have a decent list of online resources for which they can learn, and stay on top of topics. For example, on a daily basis, I browse Slashdot, darknet, coding horror, DZone, Ben Nadel's ColdFusion blog, OWASP.org, and javablogs.com, among others.
  • If you are developing an application, and you come across an error that you've never seen before, what would you do? The wrong answer in this case is to ask someone in the office right away. Even though I pride myself to being a good resource for my co-workers, many times, the answers to all problems could be as simple as a google search. There should be an amount of time spent in research before they ask others to take the time to supply help. The previous question is a good lead into this because, if a developer has a good set of online resources, then they can solve most of their problems fairly easily.
  • How many web vulnerabilities are you aware of? And what can you do to prevent them? There are plenty to choose from, such as Reflected Cross Site Scripting, Persistent Cross Site Scripting, SQL Injection, Code Injection, Invalid Session management, Using default configurations, weak  encryption, improper error handling, poor input validation, weak authorization and authentication, and cross site request forgery, to name a few. The solutions to these problems include education, proper design, code review, testing, and common sense. A Good experienced programmer would recognize most, or more, of these. A mid-level programmer should know at least 4 or 5. A low level programmer would probably only recognize SQL Injection and cross site scripting.
  • Follow up question, what is the difference between Reflected Cross Site Scripting and Persistent Cross Site Scripting? Reflected is a flaw in which the user's input is reflected back to the user, this can cause a problem by allowing JavaScript code to be run in the browser. Persistent is when a similar flaw is saved to some persistent storage. Being able to answer this shows that they are not just reading buzz words.
  • Are you familiar with JavaScript? If so, how do you debug JavaScript? There are many tools out on the internet to help with JavaScript and CSS debugging. For example, I use FireBug, a plug-in for the Firefox browser to determine how JavaScript is running.

Advanced Programming:

  • Explain the benefits of Object Oriented Programming, and describe some techniques that can be used with of OOP. The benefits include improved maintainability, design, portability, modularity, and extensibility. Some techniques include data abstraction, encapsulation, modularity, polymorphism, and inheritance. As a follow up, ask to explain examples of each.
  • What are the differences between using stored procedures in a database vs writing the logic in a language like Java, and then calling the data with normal SQL queries. The DB stored procedures are compiled on the DB, so you can get better performance, but there is added complexity, since you may have different code based on different database’s.  This question shows that the candidate knows databases, and not just how to run SQL queries.
  • How would you debug a performance problem?  For example, if you have a web page that takes a long time to load, how would you debug it? This is a pretty open question. The candidate should be wondering, is this a static or dynamic page? Is there a lot of data? Large Images? Media? Try to determine where the performance problem is. Is it the Database? Check the SQL queries, analyze the database connections when the page loads. Is it the Code? Review the code for intensive loops or data calculations, watch the resources on the server, when the page loads. Is it the Network? Run traceroute or a network sniffer to look at how the packets are being transferred. All of these are potential areas for a performance problem.
  • Can you explain the differences between SOAP based web services and RESTful web services? SOAP is a standard, created by the W3C, that defines a request and response message for web services. REST is an architectural design which relies on XML, and HTTP request types. A follow up question would be to ask where you would use each.
  • Are you familiar with Aspect Oriented Programming (AOP)? If so, what benefit does it provide? Most experience developers should at least understand the concept of AOP. AOP allows for separating redundant code from modules so the developer can focus on the task at hand of the module. This saves development time, and improves maintainability and modularity.

Mid-level Questions:

  • What are 4 different types of scope used in web based programming languages like Java? Application, request, session, and page.
  • How would you loop through the GET and/or POST request parameters, when you don't know the names of the request parameters? This can be different depending on the server side language the candidate is being interviewed about, but they should all recognize the name-value pair characteristic of the request. In Java they can easily use request.getParameterNames() for an array of names. A followup question is to ask what sort of information is passed in the request. The candidate should be able to talk about the header information.
  • How would you design a multi-tiered application to separate display from business logic? This can be answered in many ways, but using a framework, an object oriented design, and or a design pattern,  can accomplish this. The key focus it to try to try and keep the HTML from getting cluttered up with logic code.
  • What software frameworks are you familiar with? Each language has their own frameworks. In Java there are quite a few, including Struts, Spring, Seam, and JavaServer Faces. A mid level programmer should be able to understand frameworks, at least on a high level.
  • What are some of the differences between Oracle and SQL Server, in terms of how the SQL is written? Most of the differences are with the out of the box functions, like getting time stamps getDate() for SQL Server, and SYSDATE for Oracle. But the SQL queries themselves are slightly different, especially with joining tables. SQL Server uses LEFT and RIGHT OUTER/INNER Join Syntax and Oracle has a short hand notation of using (+) to represent an outer join.
  • What are the benefits and disadvantages of Normalized vs. Non-normalized database design? Normalized database tables are easier to use, understand, and cuts back on redundant data. However, non-normalized table perform better.  Typical web applications use a normalized design, but reporting applications sometimes uses a non-normalized design to be able to run queries with a lot of data)

Low level programmer:

If the interviewee only answer a few of the questions above, then chances are, they are a low level programmer. If they are claiming more then 5 years experience, and cannot answer any of the above questions, that should be a red flag. However, someone with 2-4 years experience is still learning, and you could ask them how they keep up on the new technologies.

Overall, different organizations have different requirements for who they hire. Some have a strict budget to follow, others have a reputation to uphold. Regardless, the interviewer should have the knowledge of who they want on their team. If the person performing the interview cannot answer the questions they are asking, then it can be very easy to hire the wrong person.

2 comments:

Anonymous said...

Good questions, I only disagree with "web vulnerabilities" - i know only two SQL Injection and XSS. Most frameworks can taker of it without developers help. If you are vulnerable to any web attack its because code you write is a hack.

But really good questions.

The Average Coder said...

Thank you. True that most frameworks help out with web vulnerabilities, but I am still a believer that any web developer worth their pay, should be mindful of what is out there. I've worked in the government for many years, and saw way too many sites hacked, due to ignorance and laziness. Knowing the vulnerabilities, at least on a high level, will put a little more pressure on the programmer to not be so negligent.

You're right, most vulnerabilities happen because of a hack, but there are a lot of hack out there. And even hacks can be made somewhat secure :-)