Select Website 

Recruitment Directory's Blog - Australia's #1 Recruitment Technology Blog!

Previous Page Previous Page  Next Page Next Page

Online Recruitment - UK Draft Code of Practice

Posted By: Thomas Shaw, 7:30am Wednesday 23 February 2011    Print Article

A draft British standard for online recruitment has been released. As per the document, the standard gives recommendations for online recruitment and is applicable to all methods of candidate attraction, screening, storage and selection using internet-based technology up to the point of acceptance of offer. The standard codifies good practice for delivery of online recruitment (direct or outsourced) and identifies the roles and responsibilities of those involved. The standard seeks to encourage increased transparency and improvement of the candidate experience.

Social media is increasingly being used by organizations to build communities with forums, groups and networking opportunities. Whilst one aim of these communities might be communicating with potential employees, by also offering information for jobseekers, it is networking rather than online recruitment and as such social media is not covered in this code of practice.

You can view the draft documentation here on the surface these pointers looks very basic, but how many of you are actually adhering to them. In the section recommendations for online recruitment practice and process, the website owner should have a process in place and delegate responsibility within the organization to ensure:
  • that all vacancies advertised are live and accurate;
  • that contact information is easily available, relevant, up-to-date and details how the enquiry will be responded to;
  • that either the employer or the website owner acknowledges receipt of a candidate’s CV when applying for a role;
  • that candidate is informed of how the data provided will be used;
  • candidates are informed of the full process for storing their CV online and, where practicable, notified if their CV or personal details have been viewed or downloaded from or by a third party;
  • their websites have been developed in accordance with BS 8878; (Not sure what BS 8878 actually is...)
  • candidates are informed of their application status at each relevant stage of the process;
  • candidates are informed of any details regarding the storage of their CV, in the event of a unsuccessful application;
  • common industry jargon and acronyms are avoided in advertisements unless this is absolutely necessary for the role;
  • where possible, appropriate information is provided in each vacancy posting e.g. corporate recruitment guidelines, application process, application close dates, etc.;
  • when designing online recruitment strategy, consideration is given to the proper integration with other recruitment methods where appropriate, such as ATS or bespoke/internal recruitment systems so that end to end process works in harmony;
  • all personal data and CVs are stored in an appropriate manner and there is the ability to remove out-of-date information; and
  • they establish a complaints policy which is communicated to and accessible by candidates.
Pretty basic stuff.

Article URL:

Article Tags: online recruitment code of practice recruitment websites online recruitment systems ats job board resume candidate cv online recruitment code of practice

Comments View Comments (1)

Robert Walters Salary Survey iPhone App

Posted By: Thomas Shaw, 10:17pm Sunday 13 February 2011    Print Article

Robert Walters have released a nifty salary survey iPhone app for users to quickly compare contract/permanent salaries for the past 3 years. The app is basically a searchable "digital" edition of the PDF edition. Set your country and you are ready to go.

Article URL:

Article Tags: robert walters salary survey iphone app iphone salary survey

Comments View Comments (0)

Monkey Business

Posted By: Thomas Shaw, 9:17pm Sunday 13 February 2011    Print Article

It's that time of the year again when US brands spend sh*tloads on TV commercials during the Super Bowl. This year CareerBuilder was the only jobs/employment related brand advertising. If you think CareerBuilder ads are all monkey business, have a look at the new video for TheLadders... err um. You be the judge!



Article URL:

Article Tags: careerbuilder superbowl 2011 theladders using video in recruitment tv ads funny ads

Comments View Comments (0)

Adlogic Mobile

Posted By: Thomas Shaw, 7:00pm Thursday 27 January 2011    Print Article

I am pleased to announce a partnership between adlogic and Recruitment Directory. We will be providing a range of mobile job site software for all of adlogic/PostJobsOnce (RCSA Members) clients. This partnership will give every adlogic client access to our advanced mobile job site software. It doesn’t matter if another vendor is currently powering your website. This mobile product is linked directly to your adlogic account.

Client mobile sites can be deployed in less than one hour. Saying that, we were able to deploy a very large client over the phone for a demonstration in 10 minutes. The full media release can be found below.

MEDIA RELEASE - 27th Jan 2011 Adlogic Mobile. A partnership between Recruitment Directory and adlogic

adlogic becomes the largest provider of mobile job search products

adlogic, Australia & New Zealand leading job multi posting system today released a suite of mobile job search products. All adlogic and PostJobsOnce (RCSA members) clients across the globe now have access to the best mobile job site product in the world.

adlogic mobile products were developed by Recruitment Directory who have partnered with adlogic to provide this world class mobile job search products for all our Recruitment Agency or Corporate clients.

This partnership will make adlogic the largest provider of mobile job search products across the globe with over 300 client mobile job sites ready to be released. The mobile product is a web enabled mobile job site that is compatible across all mobile devices “multi device enabled” including optimization for iPhone, Android, Palm, BlackBerry, Nokia, Samsung etc.

Commenting on this new product, Managing Director and Founder of adlogic, Anwar Khalil said “Our clients on average receive 5-10% of web traffic from mobile devices. With the increase use of mobile devices, we need to provide the best possible products for our clients. This partnership will allow all of our adlogic clients an easy and cost effective way of providing a mobile job search website to their users. All clients will be able to use their existing URL and be provisioned to go live in under 1 hour!”

The mobile job search product uses the clients existing website URL and jobs from their account. Users can search, view, apply and shortlist jobs via SMS/email and subscribe to email alerts all from within the clients mobile job site. Clients also have the option of integrating this into a native mobile application.

Thomas Shaw, Managing Director of Recruitment Directory, said “There has definitely been a strong uptake in the number of users searching for jobs on their mobile device and we look forward to providing all adlogic clients the best mobile job site product available in the marketplace. Our extensive mobile recruitment expertise gives adlogic a very strong competitive advantage in the marketplace.”

Article URL:

Article Tags: adlogic postjobsonce adlogic mobile rcsa mobile recruitment mobile recruiting mobile job sites iphone android recruitment directory thomas shaw anwar khalil

Comments View Comments (2)

Push Notifications for Mobile Recruitment/HR Apps

Posted By: Thomas Shaw, 8:00am Monday 17 January 2011    Print Article

The whole push notification environment is quite interesting to get your head around. It doesn't matter if the mobile application is designed for iOS (iPhone), Android or Windows 7 operating systems - the overall architecture is much the same. Push notifications should not be seen as a SMS or Email replacement, but as a complement to existing notification services.

We have been working on a number of mobile recruiting projects for clients over the past few months. One of them involves quite a complex push notification project that you may never know exists.

Push notifications are much like receiving an SMS. Your phone is alerted when a new message is received. It can also alert your application and update the badge number. The technology behind push notifications is not new; it's been around for a number of years. The technology has only become "mainstream" after integration within the Facebook iPhone application.
  • You have ## new jobs matching your search criteria
  • New resume for ## has been received
  • Your timesheet is due
  • Your timesheet is overdue
  • Please authorise ##'s timesheet
  • ## incident has occurred
  • Meeting with ## at ## in 10mins
  • Please call ## on ##
  • System access alert for ##
Having looked at the open/response statistics from our beta apps on a number of different devices. I am still not convinced it is the most effective way to alert job seekers. However, it dose have many practical applications for the wider HR/Recruitment system landscape. Even with hours of brainstorming, the uses seem to resolve around system messages.

The native application must authenticate and register the users device with the remote applications server to start send/receive messages. If the user removes the app, the device will reject notification.

Push notifications should never be taken for granted. There are many cases of notifications being sent from the server and the application on a device not receiving it. The problem is that the Push Notification message indicators are not built for heavy use. If you have multiple push messages coming in to you phone, only the latest one will be shown on the screen.

Have a read through some old slideshare presentations.

Article URL:

Article Tags: push notification mobile recruitment mobile recruiting mobile applications push notifications for recruitment hr technology messages sms

Comments View Comments (1)

2011 - Year of the free resume

Posted By: Thomas Shaw, 10:00am Sunday 16 January 2011    Print Article

It's only 2 weeks into the New Year, and it comes as no surprise to anyone who works in the online recruitment industry that the lack of security around resumes allows anyone with basic boolean knowledge to find resumes. Wouldn't it be great if one of your competitors has all their candidate resumes online?

You would have to tear up your RCSA/ITCRA membership up as you no longer follow the associations code of ethics, but is this really your problem? Let's think about this more...

Part of a recruiter's job is to find people. In fact, Recruiters are trained to use boolean search strings to find candidates/resumes. Basic strings like "filetype:doc resume" will immediately return results.

Recruitment Agencies store data online. Most recruitment systems are safe and secure. But there will always be the small % of insecure systems. You can't blame anyone else but yourself for not checking the security of your system. Never assume someone will tell you they can access your data.

The fact that the files are already indexed in a search engine makes it easier for anyone to find and harder to remove. This problem intensifies the more your website increases its SEO.

I declare 2011, the Year of the Free Resume.

Article URL:

Article Tags: security free resumes recruitment system online recruitment seo

Comments View Comments (1)

CareerOne iPhone App

Posted By: Thomas Shaw, 8:30am Tuesday 21 December 2010    Print Article

CareerOne has finally released the first part of their mobile arsenal. The CareerOne iPhone App was released last night allowing job seekers to search, shortlist and apply for jobs.

The CareerOne iphone app reminds me a lot like MyCareer's iphone app released earlier this year and is strangely focused around native mobile applications instead of a mobile optimized website (ie SEEK mobile)

Key features of the CareerOne iPhone app include
  • Search and view jobs on your mobile
  • Uses the phones geolocation function to find jobs near you
  • Register or sign into your existing CareerOne account to save/shortlist and apply for jobs
  • Track your previous job applications

Article URL:

Article Tags: geolocation careerone iphone app iphone app mobile recruiting careerone job board candidate profile mobile job board

Comments View Comments (0)

MyCareer's LinkedIn integration

Posted By: Thomas Shaw, 7:30am Tuesday 21 December 2010    Print Article

MyCareer has quietly integrated a number of LinkedIn features onto their job board. Users can use their existing LinkedIn profile as a "single sign on" to MyCareer instead of using the Fairfax registration process.

If you are logged into MyCareer using your LinkedIn profile, it will automatically match jobs and courses which best suit your profile. Unfortunately the "matches" did not suit my profile.

There are also a number of social networking buttons on each job in the search results. Some would say the whole product release was rushed to market after SEEK’s product release last week

When you apply for a job (using MyCareer's application form) you can also include your LinkedIn URL in the application form. Users should compare the process to other LinkedIn application form processes available.

What do you think of MyCareer's LinkedIn integration?

Article URL:

Article Tags: mycareer linkedin job board single signon linkedin integration job search job matching social networking

Comments View Comments (3)

All I want for Christmas are some funny job ads

Posted By: Thomas Shaw, 7:30am Monday 13 December 2010    Print Article

Tis the silly season for Christmas job ads. If you have seen any worth sharing, let me know.

Article URL:

Article Tags: christmas job ads funny job ads

Comments View Comments (1)

OWASP Top 10 and your Recruitment Website - Part 2

Posted By: Dmitry Kulshitsky, 4:37pm Thursday 09 December 2010    Print Article

In part 1 of this series we started a conversation about the OWASP Top 10 most prevalent security vulnerabilities and how relevant these issues were to a typical recruitment web site. In the 2nd part we will review the next 2 items from this list.

A4 - Insecure Direct Object References
  • Relevance: Very High
  • Impact: Severe
Insecure Direct Object References are third (after cross-site scripting and injections) in our series of security risks for the recruitment websites.

As the name implies an attacker tries to directly reference (or access) some kind of object on the web site. In this context ”object” means a resource (e.g. file, directory, database field etc). The actual weakness here is that a web application doesn’t always perform a check that the attacker is authorised (has permission) to access the requested resource.

The word “direct” is important and is used to highlight the fact that this request is specifically crafted and made “directly” to a resource in question bypassing the normal web application flow.

To make it clearer we will review five examples. Think of them as five different faces of the Insecure Direct Object Reference problem. Some of these examples are real incidents that happened to real companies (or something that we have seen in our logs as failed attempts) while others are more theoretical in their nature (“what can happen”) and may or may not be relevant to your particular situation.

1. Direct access to a database or a database backup

There was a real incident documented as WHID 2000-2: IKEA exposes customer information on catalog site

The Error message revealed a database file location, which could be downloaded.

If a database (or its backup!) is accessible via the web server (or FTP) then attackers don’t even need to ‘hack’ the web site to get to your data. Instead they can just download the database and have access to ALL your information at once including passwords, resumes, client details and anything else that is stored there.

A similar issue that has been recently disclosed, allows attackers to quickly work out the directory and file name of the WordPress database backup.

2. Access to a sensitive file on a web server

Some files may contain sensitive information and should not be freely accessible by anyone who visits your web site. Make sure these files are protected and cannot be viewed by directly requesting them from the web site:
  • .Net based web applications: *.config files (especially web.config)
  • WordPress: wp_config.php
  • Joomla!: configuration.php
  • Drupal: settings.php
You might also want to consider the following two scenarios that fall under the same category:
  • You generate reports into separate files, which your clients can download from the web site. If your web application generates these reports with the predictable or easy to guess names and fails to correctly limit access to this information then an attacker can download reports that belong to other clients of yours.
  • A jobseeker applies for a job and the uploaded resume is temporarily stored in a location that is accessible from the outside (e.g. /upload/temp/CVs). In this case an attacker can potentially download all resumes stored in this location.
There are 2 common weaknesses exploited here:
  • Predictable or easy to guess path to a sensitive resource on the web site
  • Files stored inside the web site directory structure (hence accessible from the outside) and a lack of access controls

3. Tampering with the web request parameters

This is quite a popular attack judging by what we see in SEEK logs. This is a simple attack that targets business logic of your web application. Reliance on untrusted input is one of the security sins. Attackers can tamper with any information supplied by the client back to the web site including:
  • Query string parameters (GET request)
  • Form field values (POST request) including hidden fields
  • Cookies
  • HTTP headers
Pay special attention to any sequential IDs that you use in your system (e.g. UserID, ClientID, SessionID, ResumeID, CoverLetterID, ApplicationID, EmailID etc) – they are easy targets!

In its simplest form this attack will look like this: Let’s say your recruitment web site allows jobseekers to download their resumes stored in the system via a URL like this:

An attacker can modify the value of the resumeID parameter (123456 -> 123457) to try to download someone else’s resume. This process can be automated to iterate through a large range of IDs to download all available resumes.

If your web site allows downloading files like this:

It is potentially risky to allow direct referencing of a file by its name. It might be possible for an attacker to supply a different file name to download a sensitive configuration file...

or source code of a web page..

The best defence against this type of attacks is to reference files by unique IDs (even better – GUIDs) and perform a lookup for the corresponding file name on the server side.

4. A directory traversal attack

It happens when an attacker tries to access system files by attempting to navigate outside of the web site root: etc/passwd system32/cmd.exe

Also see Apache Tomcat directory traversal vulnerability

For a Windows/IIS based web site I would recommend:
  • Checking the “parent paths” option (which is disabled by default in IIS6) – ideally it should remain disabled
  • Keep webroot on a different drive from the OS files. E.g. if Windows is installed on C: then have webroot on D:

5. Old code left on the web site

Although it might not be 100% correct but I would still classify this scenario as an Insecure Direct Object Reference. Imagine a situation when a functionality provided by the oldpage.php has been migrated to another page called newpage.php. The big question is: what happens to the oldpage.php! Old content implies the existence of files that:
  • Can still be accessed by anyone
  • Is never going to be tested by QA again (because it is not part of the site anymore from the functional perspective!)
  • Is still known to the search engines
Removing old content from your web site should become part of your maintenance routine.  Web logs parsing, data aggregation and analysis steps allow a site owner to see which pages have not been requested from the web site for a given period of time. These are good candidates for removal.
  • A similar process exists for database objects (tables, stored procedures) by using SQL server usage statistics to identify potential candidates for removal.
  • Deploy to production systems and monitor the system behaviour (e.g. missing files)
Questions to ask:
  • Do we store backups inside the web site root? Consider relocating these backups to a different directory not accessible via the web site.
  • Are there any *.bak, *.old files on the web site? Why?
  • Have we secured our configuration files? Use examples from section 2 (e.g. You should NOT be able to see the contents of these files.
  • Have we taken specific measures to prevent tampering with the web request parameters?
  • Do we use sequential IDs as object references?
  • Do we have proper authorisation checks in place?
  • As a bare minimum select a few critical pages and try modifying data submitted via GET (in URL) and POST (form field values) methods.
  • Do we have Parent Paths enabled? Is our webroot located on a different drive from OS files?
  • How do we deal with the old code that is no longer used?
  • Does it stay on the web server?
  • Is there a process to remove this code from the web server and source control?

A5 – Cross-Site Request Forgery (CSRF)

Relevance: Low-Medium
Impact: Moderate

CSRF is a relatively new issue. And yet the majority of the web sites are vulnerable. I set relevance for the recruitment web sites to “Low-Medium” purely because there are juicier targets (banking sites, online auctions, booking systems). But don’t underestimate it either. This “sleeping giant” can cause a lot of damage – like stealing or modifying your clients’ data, deleting resumes or posted jobs, sending your candidates offensive e-mails or e-mails containing viruses etc.

For the CSRF attack to be successful we need 2 things:
  • A victim needs to be logged in to your web site (or have an auto-login feature enabled)
  • A victim visits a web site controlled by an attacker
In this case, when a victim loads a page from an attacker’s web site, this page can make hidden requests to your recruitment web site. These requests (since the victim is logged in!) will be executed as part of the victim’s session on your web site under this user’s identity.
How do attackers do that? In its simplest form it can either be an IMG tag or an IFRAME embedded in the attacker’s web page:

<IMG SRC=””>


It can also be a link that a victim needs to click:

<A HREF=”[email protected]>OMG! Dancing pigs!</A>

Multi-step operations or submitting forms (POST request) can be easily achieved by a simple JavaScript code on the attacker’s web page.

Questions to ask:
  • Do we employ any anti-CSRF defences (e.g. anti-forgery tokens, adding per session nonce etc)? If not the probability is quite high that the site is vulnerable to CSRF.
- Do not rely on the referrer header – it can be spoofed!
- ASP.Net – consider adding SessionID into the ViewState.
- ASP.Net MVC - consider using Html.AntiForgeryToken()
  • Do we have any XSS (cross-site scripting) vulnerabilities? They will allow attackers to defeat some CSRF defences (e.g. read anti-forgery token and use this information to forge a new request)
  • Are we running the latest version of a framework? Many popular frameworks have been updated to include anti-CSRF measures – please check release notes.
  • Have we performed any penetration testing scans recently to identify CSRF flaws?
  • Since GET requests (parameters passed in the URL string) are the easiest targets – can we consider switching to POST instead?
- This is NOT a fix, but it will make it slightly more difficult for a hacker to mount such attack. Focus on pages that perform sensitive operations.

Guest blog post by Dmitry Kulshitsky, Security Architect at SEEK.

Article URL:

Article Tags: recruitment security recruitment websites owasp job boards dmitry kulshitsky security hacking insecure direct object references xss sql injections cross-site request forgery csrf

Comments View Comments (0)

Previous Page Previous Page  Next Page Next Page

Random Blog Articles

All I want for Christmas are some funny job ads
Published: 7:30am Monday 13 December 2010

How to confuse a job seeker - Part 2
Published: 2:25pm Monday 02 August 2010

Search Engine Friendly URLs
Published: 4:01pm Sunday 26 July 2009

HR Daily launches
Published: 1:31pm Tuesday 25 November 2008

Job ad of the month - I'm tired of writing boring adverts for boring Recruitment Consultants
Published: 9:26pm Monday 05 July 2010