A draft British standard for online recruitment has been released. As per the document, the standard gives recommendations for online recruitment and is applicable to all methods of candidate attraction, screening, storage and selection using internet-based technology up to the point of acceptance of offer. The standard codifies good practice for delivery of online recruitment (direct or outsourced) and identifies the roles and responsibilities of those involved. The standard seeks to encourage increased transparency and improvement of the candidate experience.
Social media is increasingly being used by organizations to build communities with forums, groups and networking opportunities. Whilst one aim of these communities might be communicating with potential employees, by also offering information for jobseekers, it is networking rather than online recruitment and as such social media is not covered in this code of practice.
You can view the draft documentation here http://drafts.bsigroup.com/Home/Details/695 on the surface these pointers looks very basic, but how many of you are actually adhering to them. In the section recommendations for online recruitment practice and process, the website owner should have a process in place and delegate responsibility within the organization to ensure:
that all vacancies advertised are live and accurate;
that contact information is easily available, relevant, up-to-date and details how the enquiry will be responded to;
that either the employer or the website owner acknowledges receipt of a candidate’s CV when applying for a role;
that candidate is informed of how the data provided will be used;
candidates are informed of the full process for storing their CV online and, where practicable, notified if their CV or personal details have been viewed or downloaded from or by a third party;
their websites have been developed in accordance with BS 8878; (Not sure what BS 8878 actually is...)
candidates are informed of their application status at each relevant stage of the process;
candidates are informed of any details regarding the storage of their CV, in the event of a unsuccessful application;
common industry jargon and acronyms are avoided in advertisements unless this is absolutely necessary for the role;
where possible, appropriate information is provided in each vacancy posting e.g. corporate recruitment guidelines, application process, application close dates, etc.;
when designing online recruitment strategy, consideration is given to the proper integration with other recruitment methods where appropriate, such as ATS or bespoke/internal recruitment systems so that end to end process works in harmony;
all personal data and CVs are stored in an appropriate manner and there is the ability to remove out-of-date information; and
they establish a complaints policy which is communicated to and accessible by candidates.
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
BS 8878 is a standard for ensuring that your website is accessible to people with disabilities, similar to the W3C accessibility guidelines. It covers how websites should be tested for accessibility and good practices like ensuring the markup can be parsed by screen readers, having alt tags and subtitles on videos. It also covers having an accessibility statement on your website.
Robert Walters have released a nifty salary survey iPhone app for users to quickly compare contract/permanent salaries for the past 3 years. The app is basically a searchable "digital" edition of the PDF edition. Set your country and you are ready to go.
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
It's that time of the year again when US brands spend sh*tloads on TV commercials during the Super Bowl. This year CareerBuilder was the only jobs/employment related brand advertising. If you think CareerBuilder ads are all monkey business, have a look at the new video for TheLadders... err um. You be the judge!
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
I am pleased to announce a partnership between adlogic and Recruitment Directory. We will be providing a range of mobile job site software for all of adlogic/PostJobsOnce (RCSA Members) clients. This partnership will give every adlogic client access to our advanced mobile job site software. It doesn’t matter if another vendor is currently powering your website. This mobile product is linked directly to your adlogic account.
Client mobile sites can be deployed in less than one hour. Saying that, we were able to deploy a very large client over the phone for a demonstration in 10 minutes. The full media release can be found below.
adlogic becomes the largest provider of mobile job search products
adlogic, Australia & New Zealand leading job multi posting system today released a suite of mobile job search products. All adlogic and PostJobsOnce (RCSA members) clients across the globe now have access to the best mobile job site product in the world.
adlogic mobile products were developed by Recruitment Directory who have partnered with adlogic to provide this world class mobile job search products for all our Recruitment Agency or Corporate clients.
This partnership will make adlogic the largest provider of mobile job search products across the globe with over 300 client mobile job sites ready to be released. The mobile product is a web enabled mobile job site that is compatible across all mobile devices “multi device enabled” including optimization for iPhone, Android, Palm, BlackBerry, Nokia, Samsung etc.
Commenting on this new product, Managing Director and Founder of adlogic, Anwar Khalil said “Our clients on average receive 5-10% of web traffic from mobile devices. With the increase use of mobile devices, we need to provide the best possible products for our clients. This partnership will allow all of our adlogic clients an easy and cost effective way of providing a mobile job search website to their users. All clients will be able to use their existing URL and be provisioned to go live in under 1 hour!”
The mobile job search product uses the clients existing website URL and jobs from their account. Users can search, view, apply and shortlist jobs via SMS/email and subscribe to email alerts all from within the clients mobile job site. Clients also have the option of integrating this into a native mobile application.
Thomas Shaw, Managing Director of Recruitment Directory, said “There has definitely been a strong uptake in the number of users searching for jobs on their mobile device and we look forward to providing all adlogic clients the best mobile job site product available in the marketplace. Our extensive mobile recruitment expertise gives adlogic a very strong competitive advantage in the marketplace.”
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
The whole push notification environment is quite interesting to get your head around. It doesn't matter if the mobile application is designed for iOS (iPhone), Android or Windows 7 operating systems - the overall architecture is much the same. Push notifications should not be seen as a SMS or Email replacement, but as a complement to existing notification services.
We have been working on a number of mobile recruiting projects for clients over the past few months. One of them involves quite a complex push notification project that you may never know exists.
Push notifications are much like receiving an SMS. Your phone is alerted when a new message is received. It can also alert your application and update the badge number. The technology behind push notifications is not new; it's been around for a number of years. The technology has only become "mainstream" after integration within the Facebook iPhone application.
You have ## new jobs matching your search criteria
New resume for ## has been received
Your timesheet is due
Your timesheet is overdue
Please authorise ##'s timesheet
## incident has occurred
Meeting with ## at ## in 10mins
Please call ## on ##
System access alert for ##
Having looked at the open/response statistics from our beta apps on a number of different devices. I am still not convinced it is the most effective way to alert job seekers. However, it dose have many practical applications for the wider HR/Recruitment system landscape. Even with hours of brainstorming, the uses seem to resolve around system messages.
The native application must authenticate and register the users device with the remote applications server to start send/receive messages. If the user removes the app, the device will reject notification.
Push notifications should never be taken for granted. There are many cases of notifications being sent from the server and the application on a device not receiving it. The problem is that the Push Notification message indicators are not built for heavy use. If you have multiple push messages coming in to you phone, only the latest one will be shown on the screen.
Have a read through some old slideshare presentations.
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
While some of the applications you point out for mobile push technology initially seem to be very valuable, I am a bit skeptical when it comes to real-world effectiveness. Balancing actual work time with time spent sending and receiving information is a sensitive area and one that requires extremely careful planning and implementation. While information technology is important, necessary actually, in business today, we still must give employees and managers the time and environment required to focus on completing tasks that require attention and engagement. As things stand today, employees in office environments name EMAIL as the number one OBSTACLE to productivity and time management. Increasing the frequency of communications, while decreasing the quality of those communications, can only compound time management issues.
It's only 2 weeks into the New Year, and it comes as no surprise to anyone who works in the online recruitment industry that the lack of security around resumes allows anyone with basic boolean knowledge to find resumes. Wouldn't it be great if one of your competitors has all their candidate resumes online?
You would have to tear up your RCSA/ITCRA membership up as you no longer follow the associations code of ethics, but is this really your problem? Let's think about this more...
Part of a recruiter's job is to find people. In fact, Recruiters are trained to use boolean search strings to find candidates/resumes. Basic strings like "filetype:doc resume" will immediately return results.
Recruitment Agencies store data online. Most recruitment systems are safe and secure. But there will always be the small % of insecure systems. You can't blame anyone else but yourself for not checking the security of your system. Never assume someone will tell you they can access your data.
The fact that the files are already indexed in a search engine makes it easier for anyone to find and harder to remove. This problem intensifies the more your website increases its SEO.
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
CareerOne has finally released the first part of their mobile arsenal. The CareerOne iPhone App was released last night allowing job seekers to search, shortlist and apply for jobs.
The CareerOne iphone app reminds me a lot like MyCareer's iphone app released earlier this year and is strangely focused around native mobile applications instead of a mobile optimized website (ie SEEK mobile)
Key features of the CareerOne iPhone app include
Search and view jobs on your mobile
Uses the phones geolocation function to find jobs near you
Register or sign into your existing CareerOne account to save/shortlist and apply for jobs
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
MyCareer has quietly integrated a number of LinkedIn features onto their job board. Users can use their existing LinkedIn profile as a "single sign on" to MyCareer instead of using the Fairfax registration process.
If you are logged into MyCareer using your LinkedIn profile, it will automatically match jobs and courses which best suit your profile. Unfortunately the "matches" did not suit my profile.
There are also a number of social networking buttons on each job in the search results. Some would say the whole product release was rushed to market after SEEK’s product release last week.
When you apply for a job (using MyCareer's application form) you can also include your LinkedIn URL in the application form. Users should compare the process to other LinkedIn application form processes available.
What do you think of MyCareer's LinkedIn integration?
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
EQ. (2:51pm Tuesday 21 December 2010)
Yawn at the social sharing function. You would expect they could come up with something more sexy.
It needs to bring up the linkedin profile of the contact person. If they don't have one yet, it should prompt them to create one as part of the advertisement lodgement process.
It could suggest people in the company to contact about the position, the company etc. This could be tailored to fit in with each person's profile settings.
Good post, the Australian market is key for us and it's inevitable to see Linkedin being integrated with recruitment sites when such a huge number of people have a profile of some kind.
Although the implementation could be improved, it's amazing how many sites are still completely neglecting this channel.
We'll probably be adding this functionality to our own site at some point in the future.
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
Insecure Direct Object References are third (after cross-site scripting and injections) in our series of security risks for the recruitment websites.
As the name implies an attacker tries to directly reference (or access) some kind of object on the web site. In this context ”object” means a resource (e.g. file, directory, database field etc). The actual weakness here is that a web application doesn’t always perform a check that the attacker is authorised (has permission) to access the requested resource.
The word “direct” is important and is used to highlight the fact that this request is specifically crafted and made “directly” to a resource in question bypassing the normal web application flow.
To make it clearer we will review five examples. Think of them as five different faces of the Insecure Direct Object Reference problem. Some of these examples are real incidents that happened to real companies (or something that we have seen in our logs as failed attempts) while others are more theoretical in their nature (“what can happen”) and may or may not be relevant to your particular situation.
1. Direct access to a database or a database backup
The Error message revealed a database file location, which could be downloaded.
If a database (or its backup!) is accessible via the web server (or FTP) then attackers don’t even need to ‘hack’ the web site to get to your data. Instead they can just download the database and have access to ALL your information at once including passwords, resumes, client details and anything else that is stored there.
A similar issue that has been recently disclosed, allows attackers to quickly work out the directory and file name of the WordPress database backup.
2. Access to a sensitive file on a web server
Some files may contain sensitive information and should not be freely accessible by anyone who visits your web site. Make sure these files are protected and cannot be viewed by directly requesting them from the web site:
.Net based web applications: *.config files (especially web.config)
WordPress: wp_config.php
Joomla!: configuration.php
Drupal: settings.php
You might also want to consider the following two scenarios that fall under the same category:
You generate reports into separate files, which your clients can download from the web site. If your web application generates these reports with the predictable or easy to guess names and fails to correctly limit access to this information then an attacker can download reports that belong to other clients of yours.
A jobseeker applies for a job and the uploaded resume is temporarily stored in a location that is accessible from the outside (e.g. /upload/temp/CVs). In this case an attacker can potentially download all resumes stored in this location.
There are 2 common weaknesses exploited here:
Predictable or easy to guess path to a sensitive resource on the web site
Files stored inside the web site directory structure (hence accessible from the outside) and a lack of access controls
3. Tampering with the web request parameters
This is quite a popular attack judging by what we see in SEEK logs. This is a simple attack that targets business logic of your web application. Reliance on untrusted input is one of the security sins. Attackers can tamper with any information supplied by the client back to the web site including:
Query string parameters (GET request)
Form field values (POST request) including hidden fields
Cookies
HTTP headers
Pay special attention to any sequential IDs that you use in your system (e.g. UserID, ClientID, SessionID, ResumeID, CoverLetterID, ApplicationID, EmailID etc) – they are easy targets!
In its simplest form this attack will look like this: Let’s say your recruitment web site allows jobseekers to download their resumes stored in the system via a URL like this:
An attacker can modify the value of the resumeID parameter (123456 -> 123457) to try to download someone else’s resume. This process can be automated to iterate through a large range of IDs to download all available resumes.
If your web site allows downloading files like this:
It is potentially risky to allow direct referencing of a file by its name. It might be possible for an attacker to supply a different file name to download a sensitive configuration file...
The best defence against this type of attacks is to reference files by unique IDs (even better – GUIDs) and perform a lookup for the corresponding file name on the server side.
4. A directory traversal attack
It happens when an attacker tries to access system files by attempting to navigate outside of the web site root:
For a Windows/IIS based web site I would recommend:
Checking the “parent paths” option (which is disabled by default in IIS6) – ideally it should remain disabled
Keep webroot on a different drive from the OS files. E.g. if Windows is installed on C: then have webroot on D:
5. Old code left on the web site
Although it might not be 100% correct but I would still classify this scenario as an Insecure Direct Object Reference. Imagine a situation when a functionality provided by the oldpage.php has been migrated to another page called newpage.php. The big question is: what happens to the oldpage.php! Old content implies the existence of files that:
Can still be accessed by anyone http://yourrecruitmentwebsite.com/oldpage.php
Is never going to be tested by QA again (because it is not part of the site anymore from the functional perspective!)
Removing old content from your web site should become part of your maintenance routine. Web logs parsing, data aggregation and analysis steps allow a site owner to see which pages have not been requested from the web site for a given period of time. These are good candidates for removal.
A similar process exists for database objects (tables, stored procedures) by using SQL server usage statistics to identify potential candidates for removal.
Deploy to production systems and monitor the system behaviour (e.g. missing files)
Questions to ask:
Do we store backups inside the web site root? Consider relocating these backups to a different directory not accessible via the web site.
Are there any *.bak, *.old files on the web site? Why?
Have we secured our configuration files? Use examples from section 2 (e.g. http://yourrecruitmentwebsite.com/web.config). You should NOT be able to see the contents of these files.
Have we taken specific measures to prevent tampering with the web request parameters?
Do we use sequential IDs as object references?
Do we have proper authorisation checks in place?
As a bare minimum select a few critical pages and try modifying data submitted via GET (in URL) and POST (form field values) methods.
Do we have Parent Paths enabled? Is our webroot located on a different drive from OS files?
How do we deal with the old code that is no longer used?
Does it stay on the web server?
Is there a process to remove this code from the web server and source control?
CSRF is a relatively new issue. And yet the majority of the web sites are vulnerable. I set relevance for the recruitment web sites to “Low-Medium” purely because there are juicier targets (banking sites, online auctions, booking systems). But don’t underestimate it either. This “sleeping giant” can cause a lot of damage – like stealing or modifying your clients’ data, deleting resumes or posted jobs, sending your candidates offensive e-mails or e-mails containing viruses etc.
For the CSRF attack to be successful we need 2 things:
A victim needs to be logged in to your web site (or have an auto-login feature enabled)
A victim visits a web site controlled by an attacker
In this case, when a victim loads a page from an attacker’s web site, this page can make hidden requests to your recruitment web site. These requests (since the victim is logged in!) will be executed as part of the victim’s session on your web site under this user’s identity. How do attackers do that? In its simplest form it can either be an IMG tag or an IFRAME embedded in the attacker’s web page:
Multi-step operations or submitting forms (POST request) can be easily achieved by a simple JavaScript code on the attacker’s web page.
Questions to ask:
Do we employ any anti-CSRF defences (e.g. anti-forgery tokens, adding per session nonce etc)? If not the probability is quite high that the site is vulnerable to CSRF.
- Do not rely on the referrer header – it can be spoofed! - ASP.Net – consider adding SessionID into the ViewState. - ASP.Net MVC - consider using Html.AntiForgeryToken()
Do we have any XSS (cross-site scripting) vulnerabilities? They will allow attackers to defeat some CSRF defences (e.g. read anti-forgery token and use this information to forge a new request)
Are we running the latest version of a framework? Many popular frameworks have been updated to include anti-CSRF measures – please check release notes.
Have we performed any penetration testing scans recently to identify CSRF flaws?
Since GET requests (parameters passed in the URL string) are the easiest targets – can we consider switching to POST instead?
- This is NOT a fix, but it will make it slightly more difficult for a hacker to mount such attack. Focus on pages that perform sensitive operations.
Guest blog post by Dmitry Kulshitsky, Security Architect at SEEK.
Feel free to join in on the conversation. All comments are moderated before publishing. Comments posted by subscribers don't necessarily reflect the views of Recruitment Directory.
Previous Page Next Page 
View Comments (1)
adlogic, Australia & New Zealand leading job multi posting system today released a suite of mobile job search products. All adlogic and PostJobsOnce (RCSA members) clients across the globe now have access to the best mobile job site product in the world. 
We have been working on a number of mobile recruiting projects for clients over the past few months. One of them involves quite a complex push notification project that you may never know exists. 
The CareerOne iphone app reminds me a lot like MyCareer's iphone app released earlier this year and is strangely focused around native mobile applications instead of a mobile optimized website (ie SEEK mobile)
If you are logged into MyCareer using your LinkedIn profile, it will automatically match jobs and courses which best suit your profile. Unfortunately the "matches" did not suit my profile.
