[tptacek]

I scanned through the "General" questions in the practice test linked on the thread, paying particular attention to the "Security" questions.

Not the best.

There are two questions regarding denial-of-service attacks. One of them I found hard to answer (had a plausible answer and a plausible "none of the above"). The second one was clearer but still ambiguous. Weirdly, the ambiguity in both questions stemmed from the use of an HTTP POST login as the possible DOS vector --- why? Why use that confusing example?

The 2FA question I saw had two valid examples of 2FA (push notifications and chip-and-pin) but no "all-of-the-above". I'm curious which of those two the author has demoted.

The phishing question I'm just irritated at the superficiality of; everyone will get the right answer, but the right answer misses the point and the power of phishing attacks, which isn't "websites that look like real websites" but rather the lures (like targeted emails) that get people onto those sites. But, whatever.

The password management advice question asked for a "best" from several subjective answers.

The SMS 2FA question had two valid answers and no matching "these-two-answers" answer. I'm pretty sure the answer that wss being looked for was the social-engineering phone-porting one (which is weird, because the first answer is "SMS 2FA is considered secure by current industry standards", which is certainly true for most reasonable definitions of "industry standards"). But also: that's not even the biggest problem with SMS 2FA.

There was a blockchain question. Who is this for? I'll buy that every working programmer needs to know how a phishing attack works (though perhaps not what distinguishes, in the test author's mind, a DDoS attack from a DoS attack). How many working programmers know how blockchains work?

Similarly: there was a GAN question. Come on. What was the point of that?

Finally: it's a six hour test. You weren't kidding when you called it "the SAT for programmers". It's not an especially pleasant experience (I like the interface, though). This test is a very big ask of candidates, and I think a short ways through the test it becomes clear that there's not much intrinsic merit to it; it's just a hurdle.

[cspa]

Thanks for the valuable feedback!

Re: GAN, we tried including ML in the Core exam, but have actually since removed ML since it wasn't working. We may introduce this as part of an ML specific subject test.

If you want to get involved designing questions, please consider applying to the TSC for next term: https://cspa.io/tsc/apply.

[tptacek]

Serious question: why would I do that?

[pryelluw]

Six hour test on top of whatever time you spend interviewing. Because you know companies will still have you interview.

[cspa]

Our initial goal is to replace the technical phone screen. We are asking companies to guarantee an interview (or skip the phone screen), if they score above a certain threshold.

Long term, we hope to replace as much of the onsite as possible. But we do acknowledge we can never fully replace it.

[pryelluw]

May seem like I'm shitting on your product, but I'm not. I do a good amount of hiring[0] and have had to use services that provide similar outcomes[1]. It's mostly a waste of time and am currently working on removing that part of the process. My main issue with your product is that I don't see how it would provide me with a better outcome than what's out there.

I want to like it enough to try it out and pay you, but dont see value proposition right now.

[0] Corporate Fortune 500 types in many verticals. [1] http://derricocomputers.com/

[tptacek]

They would have to, since this is a general-knowledge programming test.

[speedkills]

Every version of this I have seen in the past 20 years always ends up worthless after the braindump sites pop up. How do you intend to mitigate this?