A new campaign tracked as "Dev Popper" is targeting software developers with fake job interviews in an attempt to trick them into installing a Python remote access trojan (RAT).
I’ve gotten offered a job on the first interview and I worked there for a while. Then again, that was not in my field of IT and was a part-time job with a well-known company, alongside studies. So while it can be a red flag, it’s not always. Depends on the situation. Just stay vigilant.
Regarding that last one, my last job actually happened because I was made an offer during the first interview before even doing any sort of technical or programming test…
… of course most of the developers there were awful, so I wish they had.
It’s almost as if technical interviews are extremely important in vetting applicants…
Regarding that last one, my last job actually happened because I was made an offer during the first interview
Probably better stated as a red flag not necessarily “they’re not real.” Usually the folks at the company will want at least a little bit of time to think over the interview and discuss.
It’s almost as if technical interviews are extremely important in vetting applicants
It depends, good references and prior work can top “technical interviews” in my book. If someone’s done something interesting a conversation about that interesting thing is often far more useful.
Technical interviews are more important when you’re looking at people fresh out of college or a code bootcamp.
I’ve been offered a job during the interview. But I did think it was super sketchy and didn’t take it.
But honestly it was more of a red flag of them just being desperate than anything dodgy going on. They really weren’t prepared to pay that much money, so they wanted to offer people jobs so they wouldn’t think about it.
That’s a bad take. Unless you get your knowledge purely from shady tutorials or have a fast track bootcamp education, it’s unlikely you never touch on security basics.
I’m a software design undergrad and had to take IT Sec classes. Other profs also touched on how to safely handle dependencies and such.
While IT Security is its own specialisation, blindly trusting source code others provide you with is something a good programmer shouldn’t do.
If you need a metaphor: Just because a woodworker specialises in tables, doesn’t mean they can’t build a chair.
In my experience, your average software developer has absolutely terrible security hygiene. It’s why you see countless instances of private keys copy/pasted into public GitHub repos or the seemingly daily occurrences of massive data breaches.
My undergrad in CS (which I should point out, is still by far the most common major for software engineers) did not require a security course, and I’m fairly confident that this is pretty typical. To be honest, I wouldn’t have trusted any of my CS professors to know the first thing about security. It’s a completely different field and something that generally requires a lot of practical experience. The closest we ever got was an explanation of asymmetric vs. symmetric encryption. There was certainly no discussion of even basic things like how to properly manage secrets or authn best practices.
Everything I know now as a senior software engineer about software security has come from experience on the job. I’ve been very fortunate to work at some places that take it very seriously (including a government contractor writing cybersecurity software for the Department of Defense) and learned a lot there. But a lot of shops don’t have a culture that promotes good security hygiene, and it shows in the litany of insecure software out in the wild today.
I graduated in CS in this century and we never touched on security. If not for my own curiosity and obligatory annual compliance education on the job (and only on the last one) I would have known near nothing
It’s sad that this works. You’d think especially software professionals would be the most vigilant about running unknown code.
I run interviews, and a lot of applicants can’t write code. So they’re probably going after low-hanging fruit like that.
Makes sense, I feel bad for the guys that were happy for a chance and got screwed over. (By the hackers, not you, haha)
Some tips for people, real companies won’t:
Be careful out there!
I’ve gotten offered a job on the first interview and I worked there for a while. Then again, that was not in my field of IT and was a part-time job with a well-known company, alongside studies. So while it can be a red flag, it’s not always. Depends on the situation. Just stay vigilant.
Regarding that last one, my last job actually happened because I was made an offer during the first interview before even doing any sort of technical or programming test…
… of course most of the developers there were awful, so I wish they had.
It’s almost as if technical interviews are extremely important in vetting applicants…
Probably better stated as a red flag not necessarily “they’re not real.” Usually the folks at the company will want at least a little bit of time to think over the interview and discuss.
It depends, good references and prior work can top “technical interviews” in my book. If someone’s done something interesting a conversation about that interesting thing is often far more useful.
Technical interviews are more important when you’re looking at people fresh out of college or a code bootcamp.
I’ve been offered a job during the interview. But I did think it was super sketchy and didn’t take it.
But honestly it was more of a red flag of them just being desperate than anything dodgy going on. They really weren’t prepared to pay that much money, so they wanted to offer people jobs so they wouldn’t think about it.
Professionals in software development do not mean professionals in cyber security.
Same way you don’t expect a geologist to be a mason
That’s a bad take. Unless you get your knowledge purely from shady tutorials or have a fast track bootcamp education, it’s unlikely you never touch on security basics.
I’m a software design undergrad and had to take IT Sec classes. Other profs also touched on how to safely handle dependencies and such.
While IT Security is its own specialisation, blindly trusting source code others provide you with is something a good programmer shouldn’t do.
If you need a metaphor: Just because a woodworker specialises in tables, doesn’t mean they can’t build a chair.
In my experience, your average software developer has absolutely terrible security hygiene. It’s why you see countless instances of private keys copy/pasted into public GitHub repos or the seemingly daily occurrences of massive data breaches.
My undergrad in CS (which I should point out, is still by far the most common major for software engineers) did not require a security course, and I’m fairly confident that this is pretty typical. To be honest, I wouldn’t have trusted any of my CS professors to know the first thing about security. It’s a completely different field and something that generally requires a lot of practical experience. The closest we ever got was an explanation of asymmetric vs. symmetric encryption. There was certainly no discussion of even basic things like how to properly manage secrets or authn best practices.
Everything I know now as a senior software engineer about software security has come from experience on the job. I’ve been very fortunate to work at some places that take it very seriously (including a government contractor writing cybersecurity software for the Department of Defense) and learned a lot there. But a lot of shops don’t have a culture that promotes good security hygiene, and it shows in the litany of insecure software out in the wild today.
You are young and blissfully naive. Sec being included with development is a recent thing
Neither young or naive. Just assuming others share my experience.
I graduated in CS in this century and we never touched on security. If not for my own curiosity and obligatory annual compliance education on the job (and only on the last one) I would have known near nothing