Creating Candidate Interest

Posted on March 4, 2024 by way0utwest

It can be hard to find candidates for positions these days. I know there are a lot of people looking for jobs, but are they the ones you want? Are they a good fit for your team? Those are hard questions to answer when culling through resumes, conducting phone screens, and sitting in interview rooms asking questions from a template. What can be even harder is to compare different candidates when multiple people may interview the candidates. Even if you do all the work yourself, you’re busy. Can you make good comparisons of different individuals that you’ve spoken to across a few weeks, in between all the real work you’re trying to get done?

I know I’ve struggled to do this, no matter how many notes I take or how long the discussions are with other team members. I have had a very mixed bag of success in hiring.

What if you had more qualified, more talented candidates applying who were interested in the work your organization does? What if you gave candidates a chance to impress you with actual work that’s related to what you do? It’s an interesting idea, and I saw this in action from an organization recently. Verizon has built a repo that has a bunch of docker files to show how they build, test, and deploy database changes.

They make this available to anyone, but certainly to candidates who are looking for work. A candidate can experiment with this, play around, and make some decisions about if this is the type of environment in which they want to work. This repo is limited to database changes, with testing, linting, and more, but I could certainly see some sample challenging query problems added in here, perhaps just as tests (similar to exercism.org) with the opportunity for candidates to solve them. I would even take these from internal teachings/learnings that current employees use. Surely, you’re leveling up and teaching your staff how to write better code.

I don’t know if this is hugely scalable as candidates might not have time to work through 10 repos from 10 companies, but I do think that asking those who pass a phone screen to look through here makes some sense. Walking them through some of this in an interview and having them ask questions or explain something could help you better understand how someone works. They might even suggest improvements. This should give you a better idea of whether a candidate is someone who fits in your environment, can do (some of) the work, and works in a way that meshes with your team.

I know some companies have tried some of this in the past, often with a standard test or code quiz, but having a repo gives more time for someone to delve in and learn a bit in advance. It also gives you the chance to showcase some tech that your org uses, which might get a higher caliber of candidates applying because they want to work the way you do. Maybe you’ll even get some experts who want to leave their current job to work with your org.

There is no perfect way to find and hire successful candidates, but I think this is an approach that has some merit and could potentially help create interest from candidates that might not otherwise apply.

Steve Jones

Listen to the podcast at Libsyn, Spotify, or iTunes.

Posted in Editorial | Tagged | Comments Off on Creating Candidate Interest

Cyber Insurance for War

Posted on March 2, 2024 by way0utwest

Is the United States at war in cyberspace with other countries? It’s the claim that a few insurers made when US-based Merck filed a claim after a 2017 cyberattack. The company filed a $700mm-ish claim, and the insurers rejected this saying that the attack was an act of war by Russian government operatives. If a factory were disrupted in the real world by actual government operatives (soldiers, spies, etc.), then it likely would be considered an act of war, but in cyberspace, who knows.

Actually, in cyberspace, who really knows who is whom, and for who they work? Maybe we don’t even know who “they” are in many cases.

Bruce Schneier wrote a piece on this, talking about a possible solution of using a government backstop that would provide some assistance or coverage that insurers might not be able to cover. While that sounds good if you have a claim, as a citizen, I think this likely encourages more attacks from others, whether they are nation-states or individuals. If someone thinks they might create a spending crisis in a country, maybe they would mount many attacks that are disguised as coming from a foreign nation and cause a government spending issues.

The United States has a scale issue, but this could cause similar issues in many smaller countries if this were a way of doing business. Perhaps this might also cause some economic issues if companies don’t want to do business in places where they aren’t covered.

However, this might not be a big issue as more insurers are starting to carve out exceptions in their coverage for these types of attacks, so if your organization is hacked by a supposed nation-state, you aren’t covered. I suspect this will also start to extend to other exceptions, such as having unpatched (or incompletely patched) systems, poor policies or just incompetent employees, lack of security scans, and more.

In some sense, I would hope that some of these attacks will force, or at least pressure, many organizations to take security more seriously. At the same time, as someone dealing with these changes, it can be inconvenient and a blow to productivity as I struggle to adapt to changes in policy, protocol, and procedure. Some are easy, like locking my home machine. Some are more challenging and frustrating as I try to share more content inside the company. It’s good, but it’s frustrating.

Cyberattacks and cybersecurity are increasingly a part of our lives as technology professionals and I urge you to spend a little time learning about the field. If you want a fun challenge, try the Advent of Cyber 2023 is still up as of this writing. I went through it and it was a fun (and scary) way to learn a few things about security, vulnerabilities, and tools out there.

Steve Jones

Posted in Editorial | Tagged | Comments Off on Cyber Insurance for War

Friday Flyway Tips–Quick Command Line Access

Posted on March 1, 2024 by way0utwest

One of the things I had to do recently in a demo was access the Git command line. The way I did it impressed a customer, so I put together a quick tip.

I’ve been working with Flyway Desktop for work more and more as we transition from older SSMS plugins to the standalone tool. This series looks at some tips I’ve gotten along the way.

Working with Git and Flyway Desktop

When working with a Flyway Desktop project, you see a screen like this. Most of the time, this works great, and as I showed in another tip, the VCS Git client is on the right side in a blade.

2024-02-28 14_51_37-Flyway Desktop

If you need to get to the Git repo from a shell, you need to open a shell and then navigate with CMDs to the right location. Or open the location in Explorer and type CMD. However, in the upper right corner, there is a shell icon, which is highlighted below.

2024-02-28 14_51_49-Zoomit Zoom Window

If you click this, the default shell opens in the correct location. In this case, it’s not the repo root, but rather the project root.

2024-02-28 14_51_56-cmd

I can then run my git commands, like “git status”, and I get relevant results for this project. As you can see below, I have 6 changes, which matches the 6 uncommitted changes in FWD.

2024-02-28 14_52_20-Zoomit Zoom Window

That’s it. Quick access to the repo from the CMD shell.

Try Flyway Enterprise out today. If you haven’t worked with Flyway Desktop, download it today. There is a free version that organizes migrations and paid versions with many more features.

Video Walkthrough

I made a quick video showing this as well. You can watch it below, or check out all the Flyway videos I’ve added:

Posted in Blog | Tagged , , , | Comments Off on Friday Flyway Tips–Quick Command Line Access

Using AI for Security

Posted on March 1, 2024 by way0utwest

AI (Artificial Intelligence) systems and technology has been all over our industry for the past year or so, ever since ChatGPT released the initial public version in late 2022. It seems that there is a lot of hype around the possibilities, with plenty of excitement and skepticism, depending on who is talking about the tech. However, there do seem to be some places where the technology is working well, and security is one of them.

There is an article about how Microsoft is using AI to help spot ransomware, which seemed to have run rampant a few years ago. It’s still around, though it seems fewer exploits are being publicized. That might be because systems are better protected, perhaps there are fewer attacks (unlikely), or maybe more organizations are getting better at covering up their issues. They might be better prepared to restore backups or quicker to pay a ransom.

In any case, Microsoft is exploring machine learning (ML, a subset of AI) to detect patterns and behaviors that can indicate a ransomware campaign is starting on a system. Looking through logs of activity for unusual behavior is something ML might be much better at, or faster at, than humans.

I certainly know that if I were running queries that might look at my activity on systems, taking a guess about whether or not the activity this week is “regular” and matches patterns from last week is hard. Often exact matches of activity patterns cause lots of false positives if they are too tightly written. If we loosen the parameters too much, we miss potential attacks. A fuzzy view of the pattern is needed, something ML is good at detecting. After all, we need to look at all activity from all users, and determine if Steve’s activity this week is different than last week, and at the same time, is Grant’s activity unusual and a sign that his account is compromised?

Some humans are very good at spotting patterns in activity, but only at a limited scale. We get tired, our minds wander, and we can’t only focus on looking for patterns in log files. We’ll get bored, distracted, and start to make mistakes. AIs don’t get tired, and while they might miss some anomalous activity, and certainly will report plenty of false positives, humans can focus on this subset of reports and perhaps partner with AIs to do a better job helping secure our systems.

I lean towards the idea that AI technology will help us better spot malicious activity in the tremendous amount of data we capture about our networked systems when humans are attempting to hack us. What I’m not sure about is how well criminal actors will use AI tech to further disguise their activity. I can certainly see a future where lots of AI bots battle each other at blinding speed while humans watch and hope the defenders manage to outwit their attacking AI opponents.

Steve Jones

Listen to the podcast at Libsyn, Spotify, or iTunes.

Posted in Editorial | Tagged , | 1 Comment