It depends on what you want. You mentioned below the fact that a certain question may not let you know if the person knows what they're doing. That makes me think that you want experienced candidates. If so, how about:

"What is your favorite tool (one open source and one commercial)?"

Say... Wikto and WebInspect (now by HP) respectively. If they can't name at least one of each, you have your answer. This question alone can spark a lengthy conversation between you and the candidate to talk about more than just 2 tools, benefits and shortcomings of each, whether they like open source solutions, etc. If no conversation occurs, then that's just more of an answer.

If you want someone with the right 'tude and are willing to teach them what they need to know, then it should cover more things like their desired workplace environment, preferred culture, projects they've started just for fun, ways that they've taken an initiative to better themselves (not just advance their tech skills), etc.

I'll let others respond with some ideas in your quest for 5.

Hope this helps,
Don

Thank you both...

heck im actually running the interview...

Hadn't ever thought of that, better get my home network upto scratch before the next interview just in case

yup, its just a way to get into their head and ask follow on qeustions.

if they arent practing security at home how confident can i be they really care about it

if they arent keeping up with security or from only one source that is say outdated before it reaches them, i probably dont want them on my team.

Network? I have a Win95 box hooked up to the wireless cable modem from my ISP. Lab? Well, I have IE5 and a command prompt. SSID? 800CALLBILL, open for everyone



On a more serious note....


If you want to find out whether they know how to do things, you'll probably want some deeper than 'general' questions. Perhaps you can ask for an example of how to perform XSS, or ask them to write down a simple 'alert' script. Same goes for SQL injection, ask them what they can put into the input field to test. Maybe ask what a web proxy can be used for.

Or to really test, you could setup a test web application (you could use one of the many available, but they may have already seen it) and let them have at it.

Bill

I really like that question Chris!  You can tell how much they know simply by how deeply they could explain that simple command.  I am going to have to remember that one.

I would assume that if the individual is actually applying for a position as a pentester he would know the difference between a 'hacker' and pentester.

The idea is to test knowledge, both technical and presentation/speaking skills.

A couple of initial questions I always ask when interviewing a candidate are:

1. Present/explain vulnerability X in system Y to management level individuals.
I generally look for presentation skills, technical knowledge, the ability to explain the impact (qualitative & quantitative) to a person and the ability to explain that threat in terms managers can relate to. Their ability to move beyond the single vuln and to look at the environment as a whole and how that vuln impacts it.

2. What research/personal projects are you working on?
Here I look for their dedication and interest in the field. I expect, at the very least that they should be reading/testing/learning about something new. "I turn off my computer at home" is not the answer I would expect.

3. My personal favorite:

Host-A <---> Router-A <---> Router-B <---> Host-B

Explain how A communicates with B using FTP, TELNET, HTTP, ETC (pick one) and use the OSI model as a reference.
Here I look for their knowledge of protocols, tcp/ip, etc... If they cannot explain how ARP works I don't need them.

There have been some good discussions on the securityfocus mailing lists about this topic in the past.

dean