Careers with Matasano

Matasano is always hiring application security consultants.

Appsec is all we do. We want to be the best place in the industry to do it. What does appsec mean here?

Language runtimes. Linkers. Kernel code, in WinAPI, POSIX, Mach. Messaging systems. Mobile apps. Chipsets. Ajax web apps. Bleeding edge Rails. Javascript parsers. Browser security. Foreign function interfaces. Ruby. Scala. Lisp. RF. Encryption. Markets. Trading. Firmware. Reverse engineering. Crawling around in the ventilation ducts of the world's most popular and important applications.

Does any of this stuff interest you? We could be a great place for you to work.

The role: working on small teams (1-4 people) under tight time frames mapping out and then breaking applications for software vendors and enterprises.

Some things you should know.

Unlike many security firms, Matasano has an office culture. We like seeing the people we work with. We are located in Midtown Manhattan, the Chicago Loop, and in Mountain View, California. We hire in these locations. We do relocate candidates.

We offer full benefits, including health, dental, and vision, a 401k, paid vacation, and commute benefits.

We encourage team members to do research. We have a formal research plan that includes incentive comp for conference presentations and a simple process to make sure team members get bench time and resources to complete research.

All Matasano employees get unlimited free books from Amazon. You see a book you want, you use your Matasano account, you get the book, its yours, full stop.

We're a consultancy. Some travel is required. We work hard to minimize travel and think we largely succeed. Everybody in the company, from the President on down, shares the load; we are a company run by application pen testers.

Our hiring process.

Can you code? Are you interested in application security? You can't waste our time. The first step is to get in touch with us. We're happy to talk about our field and what we do. Some of the best testers we've worked with didn't have a formal security background. We love talking to software people.

Please drop us a line if you're interested.

Our hiring/interviewing process goes roughly as follows. This is going to look complicated, but we're trying to overcommunicate. It can be stressful talking to a prospective new team! Here's what you can expect with us:

  1. We'll get on the phone and talk to you about the company and what our work looks like. At the end of this call you should have a good idea of what we do, how our hiring process works, and answers to questions about Matasano. Most importantly, you'll have a contact at Matasano to talk with and bounce questions off of through the duration of our process.
  2. We do 1-3 technical phone screens. You'll talk to a senior Matasano team member who will ask you about your technical background and talk you through scenarios and concepts from our day-to-day work. If you've been doing app security for 5 years, you'll be talking about your past projects; if you're a developer, you'll be talking about code.
  3. We do a web app challenge. Most software written within the last several years is web code. Everyone on our team needs to be able to deliver a solid web pen test. When you're ready, you'll be given an instance of a vulnerable web application and an hour or so to break it. We timebox challenges to avoid taking too much of your time. You're doing this on your own schedule, in your own comfortable setting.
  4. We do a custom protocol challenge. Every Matasano team member routinely runs into exotic network protocols. We'll throw something at you that you're unlikely to have worked with before and watch you reason your way through breaking it. This challenge seems to be everyone's favorite; candidates routinely tell us how they particularly enjoyed it. That's great! It's part of our day-to-day work here. Like the web challenge, it's timeboxed and you're doing it remote.
  5. We'll have you write a fuzzer. Everyone here writes fuzzers. We'll give you a file format. In the language of your choosing, you'll write a fuzzer for it. This gives us a chance to see how you code and to see what types of things you automate testing for. Like the other challenges, this one is time limited and you can do it remote.
  6. We've talked. We've done phone screens. We've answered questions. You've done challenges for us. At this point we both have a pretty good idea whether you'll be happy working with us. If that's the case, we'll bring you onsite for an in-person interview, which concludes our hiring process.

You have questions.

We have answers! Here are some we've gotten before: