This repo is desiged for a take home challenge for candidates for Security roles here at HotDoc. It is a dummy repo simulating our "Caller ID" feature and is used to help facilitate a security review of production software. You can assume that threat modelling and security overview happened at the start of the project, but, has been lost!
At the end of the challenge, you should submit:
-
THREATS.md A sample threat modelling report, that has been briefly started by a member of the team, but you have been left to finish it off. You should fill out all the sections marked TODO.
-
A brief analysis of the project's security posture. Look through the project repo as a whole, and evaluate the current security posture.
This repo contains:
- README.md - a brief intro to the feature, and an overview of the components involved
- THREATS.md - a partially completed Threat Modelling report, with sections to be filled out by the candidate
- package.json - includes the dependencies this application depends on
The actual source code of the Caller ID service is not important here (and is actually part of the Rails monolith) - so it has been omitted here, in order to keep the scope focussed.
You should have received a shared Slack channel in which to ask any questions you may have. During work hours, you can expect a response within an hour.
We are primarily interested in your communication skills and how you approach threat modelling in general. There are no 'right' answers or 'gotcha' questions to this process. Feel free to ask us questions!
The whole exercise should not take more than 2 hours of your time in total. We're happy for you to break this up over a period of 4 - 5 days, enough time for you to check in with us on Slack and clarify any of your own questions you have.