Matasano Security

• Contact
• Careers

• Home
• About
• Services
• Research

Careers with Matasano

Matasano is always hiring application security consultants.

Appsec is all we do. We want to be the best place in the industry to do it. What does appsec mean here?

Language runtimes. Linkers. Kernel code, in WinAPI, POSIX, Mach. Messaging systems. Mobile apps. Chipsets. Ajax web apps. Bleeding edge Rails. Javascript parsers. Browser security. Foreign function interfaces. Ruby. Scala. Lisp. RF. Encryption. Markets. Trading. Firmware. Reverse engineering. Crawling around in the ventilation ducts of the world's most popular and important applications.

Does any of this stuff interest you? We could be a great place for you to work.

The role: working on small teams (1-4 people) under tight time frames mapping out and then breaking applications for software vendors and enterprises.

Some things you should know.

Unlike many security firms, Matasano has an office culture. We like seeing the people we work with. We are located in Midtown Manhattan, the Chicago Loop, and in Mountain View, California. We hire in these locations. We do relocate candidates.

We offer full benefits, including health, dental, and vision, a 401k, paid vacation, and commute benefits.

We encourage team members to do research. We have a formal research plan that includes incentive comp for conference presentations and a simple process to make sure team members get bench time and resources to complete research.

All Matasano employees get unlimited free books from Amazon. You see a book you want, you use your Matasano account, you get the book, its yours, full stop.

We're a consultancy. Some travel is required. We work hard to minimize travel and think we largely succeed. Everybody in the company, from the President on down, shares the load; we are a company run by application pen testers.

Our hiring process.

Can you code? Are you interested in application security? You can't waste our time. The first step is to get in touch with us. We're happy to talk about our field and what we do. Some of the best testers we've worked with didn't have a formal security background. We love talking to software people.

Please drop us a line if you're interested.

Our hiring/interviewing process goes roughly as follows. This is going to look complicated, but we're trying to overcommunicate. It can be stressful talking to a prospective new team! Here's what you can expect with us:

1. We'll get on the phone and talk to you about the company and what our work looks like. At the end of this call you should have a good idea of what we do, how our hiring process works, and answers to questions about Matasano. Most importantly, you'll have a contact at Matasano to talk with and bounce questions off of through the duration of our process.
2. We do 1-3 technical phone screens. You'll talk to a senior Matasano team member who will ask you about your technical background and talk you through scenarios and concepts from our day-to-day work. If you've been doing app security for 5 years, you'll be talking about your past projects; if you're a developer, you'll be talking about code.
3. We do a web app challenge. Most software written within the last several years is web code. Everyone on our team needs to be able to deliver a solid web pen test. When you're ready, you'll be given an instance of a vulnerable web application and an hour or so to break it. We timebox challenges to avoid taking too much of your time. You're doing this on your own schedule, in your own comfortable setting.
4. We do a custom protocol challenge. Every Matasano team member routinely runs into exotic network protocols. We'll throw something at you that you're unlikely to have worked with before and watch you reason your way through breaking it. This challenge seems to be everyone's favorite; candidates routinely tell us how they particularly enjoyed it. That's great! It's part of our day-to-day work here. Like the web challenge, it's timeboxed and you're doing it remote.
5. We'll have you write a fuzzer. Everyone here writes fuzzers. We'll give you a file format. In the language of your choosing, you'll write a fuzzer for it. This gives us a chance to see how you code and to see what types of things you automate testing for. Like the other challenges, this one is time limited and you can do it remote.
6. We've talked. We've done phone screens. We've answered questions. You've done challenges for us. At this point we both have a pretty good idea whether you'll be happy working with us. If that's the case, we'll bring you onsite for an in-person interview, which concludes our hiring process.

You have questions.

We have answers! Here are some we've gotten before:

• This looks complicated. How long does it take?
• Not that long! We work hard to minimize the amount of time we demand from candidates. We'll be 80% of the way through before you're ever asked to come on-site. We can usually wrap things up inside a few weeks.
  
  Our goal is not to take more than a few weeks from start to finish. Please understand that things can get busy here. At the beginning of the process, you'll get a Matasano contact; please, please, please don't hesitate to use it to get status. You're very unlikely to annoy us, and much more likely to communicate enthusiasm and interest in the role. We like that.
• Do you have a list of current open reqs?
• We are always hiring application security consultants. Really.
• How much industry experience do I need to be a good fit for Matasano?
• We're always happy to talk to anyone who can code and is interested in app security. We're almost always hiring both junior and senior staff. At times, we may need senior people in order to bring more junior people on; we'll always try to be up front about this.
• Does Matasano mostly test web applications?
• Nope. We get a pretty wide selection of different things to work on. Considering that most new applications are written for the web, it's interesting that we get proportionally so much non-web stuff. We go out of our way to work on shrink-wrap, embedded, and protocol projects; it's something we're good at and enjoy doing.
  
  With that said: everybody on our team can deliver a solid web application pentest. We don't have a kind of tester that doesn't do web apps. Some people don't enjoy web app testing. They might not like it here.
• Do I need to know Ruby or C?
• Our "house language" is Ruby, but most of the people who join our team don't know it coming in the door. If you know Python, Perl, or even Java, you will have no trouble picking up Ruby. Most Matasano team members know C; we'd like everyone to. Knowing C is a major win in application security! If you don't know it, we have resources to help you pick it up. Being enthusiastic about getting in fluent in C is something we like to hear; be sure to tell us.
• Can I work remote for Matasano?
• We'd love to find a way to work with you, and we're happy to talk to you. However, you should know that we require services team members to work from one of our three offices. We are happy to relocate candidates.
• Do you do internships?
• We do indeed. We'll consider paid internships year-round. Interns do roughly the same things team members do, with a focus on tools development and research. The process for getting an internship here is similar to the process above, but abbreviated. You'd want to be happy coding. Like all our roles, our internships are in Manhattan, Mountain View, and Chicago. Contact us for more information.