[awestroke]

I know a lot about security, but I did not know about owasp10 before today. I knew about all the listed security issues in owasp 10 and how to mitigate them, but not about the list itself. Perhaps look at what candidates actually know instead of $nextCoolList?

[lnxg33k1]

Well, personally when I ask about something with an acronym is just for shortness, but of course if you see the candidate a bit worried unable to give an answer for that specifically then I usually try to help saying something on the lines of (in this specific case), "So if I say XSS or session hijacking does anything comes to mind?" So like I don't just ask about OWASP and then move on, try to help, so I am pretty sure that it was not just the list, but yeah also I made an example of the one we hired, but I've had candidates knowing a lot of stuff but not knowing what a decorator was, so I was making a point more specifically about concrete frameworks versus principles

[Existenceblinks]

Yep, most of those items baked into framework already, plus practices we've heard about in the list, but not need to know the name "owasp".

[pc86]

This probably gets at the heart of why people [misguidedly] ask about OWASP or anything other specific thing. They want to know if the candidates knows the principles, which they should, whether they're baked into all the modern frameworks or not. This might be an unpopular opinion, but I don't care how "good" your code is, or how quickly you write it, or how nice of a person you are, if you have no idea what SQL injection is or how to prevent it. Yes, day to day you might be using an ORM. But at some point you may be asked to do something with strings being passed around as SQL commands and I don't want a bomb to go off because you only know JS because that's what React is written in, you only know SQL via your ORM of choice, etc.

[Existenceblinks]

This is why people are complaining about whiteboard interview, it's the same thing. Even if I have computer engineering background, I'm not going to remember my Campus Network Design class, because in daily basis, we don't have to remember that, but we know the knowledge exists, we just loop it up when needed.