InfoSec Engineers at Form3 work on sophisticated, highly available distributed systems in a microservices environment. We detect and evaluate threats, and set standards for engineering security. We also work with other teams to build secure systems, and to spread security awareness.

This exercise is intended to mimic a real-world scenario, and should offer you the opportunity to demonstrate the security awareness, technical know-how, and communication skills.

The goal of this exercise is to find and suggest fixes for security issues in this repository. To start the exercise please create a private Github repository, with main and production branches. Then import the code from the latest release into the main branch.

Create a Pull Request to merge from main to production. Review and comment on the PR as you would review a PR produced by a Software Developer who is looking to gain a deeper understanding of security. Your PR should consist of 10 vulnerabilities with detailed descriptions, of varying severity. No merit will be given for identifying more than 10 issues; we are looking for quality communications rather than exhaustive time spent on this exercise.

Produce a fix branch from main to create a working fix of one of the issues you identified, allowing you to demonstrate your engineering abilities. Create a PR to merge your fix into main for the reviewers to see the changes you have made. Imagine that your PR will be reviewed by the same software developer, who is keen to learn about how your fix has remediated the vulnerability.

If you encounter any problems with the service we would encourage you to do some debugging first, before reaching out for help.

1. Double check that your review comments have been submitted for both PRs. If they haven't yet been submitted then there will be a pending flag next to each comment and a number next to a green Finish your review button in the top-right of the page.
2. Invite @form3tech-interviewer-1 to your private repo
3. Let us know you've completed the exercise using the link provided at the bottom of the email from our recruitment team

We're conscious that there are plenty of other demands on people's time, and we don't want you to stress about doing loads for this. The aim is to see some evidence of your security knowledge, coding ability, and communication skills in a relatively low pressure environment. Please submit a partial solution if you feel you're running out of time. If we need more material to make a decision, we'll let you know. And remember that you're welcome to get in touch if you're unsure.

Copyright 2019-2021 Form3 Financial Cloud

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.