So given that I may likely be hiring in the web and mobile application security spaces again next year (I've _somehow_ filled all of my open positions this year; appsec is difficult to fill with external hires), I'm focusing specifically on three skills:

  • ability to assess tech/architecture risks in apps

  • experience in devops automation ("secdevops" if you will)

  • proven skill in communication regardless of depth

The ideal candidate would have all three, but I could settle with any two of these and still be happy.

I am not currently hiring, but I'll gladly keep any CVs I receive and prioritize follow-ups with anyone who reaches out to me directly. Austin/DC for curious souls.

---

p.s. the web appsec space is in ludicrous demand. If you've got a breaker mindset, you'll probably come out ahead if you read up on it. If you're a developer right now and want to dip into it, I'd suggest: https://www.amazon.com/Web-Application-Hackers-Handbook-Expl...

Trust me, us security folk will thank you. Heck I'd suggest it to non-hackery devs too. It's a good way to find out how us security types see the world.

Web Application Hackers Handbook https://www.amazon.co.uk/Web-Application-Hackers-Handbook-Ex...

For what it's worth, that's a fair concern. I offer two things that make it not quite as bad as you may think, though :-)

1. We don't expect applicants to be amazing at this already. Having a background in security is good, of course, but not necessary. As a data point: in the office I work out of, we have someone who used to work in a bakery, someone who worked for an insurance company, and several people who had never done security before applying to Matasano. It's my opinion that you generally learn more "on the job", as it were, than you would preparing for an interview anyway. @tptacek's post at [0] is a good example of the type of people we have working for us.

2. We generally send candidates resources to help them prepare - I believe a couple recent applicants got free copies of "The Web Application Hacker's Handbook" [1].

[0]: https://news.ycombinator.com/item?id=8395627

[1]: http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...

I recommend grabbing a copy of Web Application Hackers Handbook[0] and try hacking vulnerable vm's[1].

I see that your a sysadmin so if network hacking is more you speed I would download Metasploit[2] and start hacking old linux or windows distros.

[0]http://www.amazon.com/The-Web-Application-Hackers-Handbook/d... [1]http://itsecgames.blogspot.com/2013/07/bee-box-hack-and-defa... [2] http://www.metasploit.com/

Also: http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...

I'd also like to know Security 101 for web developers.

In a recent appsec thread, there were two books that a lot of people recommended:

http://www.amazon.com/The-Tangled-Web-Securing-Applications/...

http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...

https://news.ycombinator.com/item?id=5862102

This book covers a lot of the material: http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...

Here are a couple of great books about web/software security:

http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...

http://www.amazon.com/Deadly-Sins-Software-Security-One-off/...