InfoSec Engineers at Form3 work on sophisticated, highly available distributed systems in a microservices environment. We detect and evaluate threats, and set standards for engineering security. We also work with other teams to build secure systems, and to spread security awareness. This exercise is intended to mimic a real-world scenario, and should offer you the opportunity to demonstrate the security awareness, technical know-how, and communication skills.

Within this exercise we have embedded a range of vulnerabilities focusing on both application security and infrastructure security. We have added both as our goal is to build a team that encompasses both skill-sets, but we do not expect you to tackle both in their entirety. We ask that you showcase your experience as you see fit. The general ruling for what we look for is as follows; excellence within either domain or strong submission across both.

The goal of this exercise is to find and suggest fixes for security issues in this repository. To start the exercise please create a private Github repository, with main and production branches. Then import the code from the latest release into the main branch.

Create a Pull Request to merge from main to production. Review and comment on the PR as you would review a PR produced by a colleague. Your comments should include vulnerabilities of varying severity.

Produce a fix branch from main to create a working fix of one of the issues you identified, allowing you to demonstrate your coding abilities. Create a PR to merge fix into main for the reviewers to see the changes you have made. Imagine that your PR will be reviewed by the original author of the code, who is keen to learn more about security.

Double check that your review comments have been submitted for both PRs. If they haven't yet been submitted then there will be a pending flag next to each comment and a number next to a green Finish your review button in the top-right of the page.

Let us know you've completed the exercise using the link provided at the bottom of the email from our recruitment team and Invite @form3tech-interviewer-1 to your private repo

If you encounter any problems with the service we encourage you to do some debugging prior to reaching out to your recruiter for assistance.

We're conscious that there are plenty of other demands on people's time, and we don't want you to stress about doing loads for this. The aim is to see some evidence of your security knowledge, coding ability, and communication skills in a relatively low pressure environment. If we need more material to make a decision, we'll let you know. And remember that you're welcome to get in touch if you're unsure.

Copyright 2019-2021 Form3 Financial Cloud

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.