I don't think you can really have an equation to rate the right person, I think it's more like a list of things I like or dislike in a resume.
In my opinion, the best hiring process follows the following steps (for the technical side of it):
- Review resume.
- Technical interview.
- Hands-on interview.
In this first post, I'm going to provide more details on how I review a resume and what affect my decision.
- Resume looks ugly: -1
- Obvious spelling mistakes in the resume: -3 (native speakers), -1 (others)
- Resume sent by a recruiter: +/- 5, some recruiters can take a resume and make it looks terrible or can make it look better...
- Buzzwords in the resume: -3
- Hotmail address: -3 ("Excuse me, are you from the past?")
- Own domain name: +2, with own SMTP server: +3
- Number of occurrence of the word "hack" in the resume: -1 per occurrence
- No internet presence: +/-10, can indicate the best and the worst
- Developer formation: +2 someone who can write code will often be more useful than someone who can't
- Learn different things at school: +3, with special points for Maths, Cryptography, Data Mining, Signal processing, Electronic, ...
- Didn't go to high school: +/-0, some really really smart people didn't spend much time at school.
- Job hopper: -5, training people takes time (especially if you're not using our exercises), you cannot afford to hire someone who is going to leave after a year (with your company's knowledge).
- More than 7 years working for one big company/big 4 and bragging about it: -2, if someone is not happy, he should move on, and not stay at the same place for that long
- Worked as a developer: +2, someone who can write code will often be more useful than someone that can't.
- Web site developer: +3, a big part of our job is web-based, knowing how to develop for the web gives people a lot of knowledge needed for penetration testing (common mistakes, ability to review code, ...).
- CEH: -2, too often I have been disappointed during technical interview by CEH. Most of them just want to hack stuff and don't learn properly how things work.
- CISSP: -3, CISSP is in my opinion a good certification for people who want to show general knowledge in security... not really the kind of people a pentest company is after in my opinion.
- ISO-2700*: -4, same as CISSP with even less technical knowledge
- PCI-DSS: -2, not really technical but some really good people are certified.
- All of these certifications together: -3
- Special points for "Firstname Lastname CISSP": -4
- List tool instead of Technic: -3, sqlmap" instead of "sql injection"
- List really old security tools: -3
- Obvious lack of security knowledge: -10, Non-sense in the resume for example
- github profile: +5
- github profile with projects: +5, +3 if really good code, +4 if code in different languages
- github profile with patches for opensource projects: +5 (-3 if advisory published for silly vulnerabilities)
- published a vulnerability in some project in version 0.1: -3, +3 if it's a full code review and they found "all" the bugs and report them prior to the disclosure.
- published a stack-overflow in some Russian mp3 player: -3 (typical CEH profile)
- References from someone: +10
- Twitter account: +1, -1 if only chitchat, -3 if security circus, +2 if real information on vulnerabilities
- Blog with interesting articles: +5
- Play CTF: +5
- Available on IRC: +2
- Talk during conferences: +5, unless talk on SCADA: -3
- Read Phrack: +5
- Wrote in Phrack: +20 (Phrack is the *BIG* deal, writing in phrack shows both a lot of skills and the good attitude)
- Any achievement: +3, black belt in some martial arts, won something, ...
- Did/do some team sports: +/- 0. to be honest I don't think most good pentesters are team players, they are more like traders, sharing information/tools with people they know/like/respect or people who share with them.
I know a lot of people won't agree with this rating, mostly because it's really subjective (and part of it is a bit trollish I guess). However, most of the time it provides a good overview of a resume... Obviously, if I get a resume that matches all these points, I will be really suspicious now :p