We've built a really exceptional team at Security Innovation made up of some of the best Security Engineers in the industry who are a closely knit group of friends who respect each other for their abilities and commitment. We sometimes say, not really joking, that we have a strict "No Jerk" policy for new hires.
Because of this great chemistry we tend to grow the team slowly, only making hires when we are absolutely sure that person will help improve the team and fit overall.
In order to be sure we only hire the best, smartest, most committed, and least likely to be a jerk we've built somewhat of a unique interview process. So you know what to expect before you start the process I wanted to lay out the process here.
The first phase of the process is to start with our challenge site. This challenge site is open to everyone, you can spend as much time on it as you'd like, you can look things up, or teach yourself anything you'd like. If you're interested please start the challenge, it's great fun and can be found at http://canyouhack.us. When you're done or when you get stuck you can e-mail firstname.lastname@example.org with your resume or for a hint.
The challenge site is set up a bit like a CTF. There are multiple challenges that should test a wide range of your abilities. In order to get to the next challenge you'll have to solve the first.
Logistics and Resume
When you send us your e-mail a few things will happen. Garrett, our project manager, will e-mail you back with a short list of questions. Some of them are logistical questions like when you can start and your legal status to work in the US. But more of them are about your interest in security, how you stay up to date with the latest security news, and whether or not you've contributed back to the industry (blogs, tools, conferences, open source contributions, etc.). These questions are really important, because we want to hire somebody who has their roots and interest in the security industry.
After you return the questionnaire one of us will do a phone screen with you. This is our chance chat with you a bit and a chance for you to ask anything you'd like about Security Innovation, the team or the work we do. This isn't really a technical phone screen, although sometimes the conversation turns that way, after all we are all nerds here. You can expect the phone screen to last between 10-30 min and you should be in a quiet area for it.
If you seem like a good fit after the phone screen and challenge site we'll set you up with our next challenge website: Super Secure Bank. This is a purposefully vulnerable website that we have built for interviews and demonstration purposes. You will have 48 hours of your choosing to find and report on as many vulnerabilities as you can. There are so many vulnerabilities in this site that you may not be able to find and report on all of them in the 48 hour window. When we review your results we'll be looking for a few things:
- Did you get good coverage on the site, or were there areas left unexplored
- What types of vulnerabilities did you find?
- How is your writing style?
- Are your reports complete?
- Are your report steps complete?
- Are your remediation steps accurate, do they follow industry best practices?
- Are the reports professional? Would we feel comfortable sending this to a client?
Candidate Background Research
If you do well on this phase of the interview process we'll start our own research into you. Of course we have your resume, but we all know how accurate those tend to be, right? We'll google around for you and look for blogs, github repos, tools, Stack Overflow questions and answers, forum posts, and your general internet presence. Of course having a long history of great contributions is great, but this won't disqualify you.
It may seem like you've had to do a lot up to this point, and that you're on your own. The purpose isn't to isolate you from the team or to make you do all of this on your own. We've just found that interviews can be very time consuming, especially when you do them like we do them, and that we want to be able to spend the most time with the best candidates. If you ever have questions about the process or team feel free to reach out again.
Talking to a human!
Next we'll schedule a live interview. If you're local to one of our offices (Seattle or Boston) we'd love for you to come into the office and meet the team. If you'll be moving to Seattle or Boston and are remote for the time being we can do this initial interview by phone.
This is a technical interview. Seriously, we've heard from candidates it's one of the most technical, difficult interviews they've ever had. The purpose of an interview, as we see it, is to test the limits of your knowledge. So if it sounds like you know something, we won't spend time on questions that you know the answer to, we'll turn it up to 11 quickly to find that limit. Again, not to make you feel bad, but to know what you know, and what you don't. Usually this first live interview takes between one and two hours. We'll use Skype or phone and some screen or document sharing if you're remote. Any aspect of the security industry is in scope, so come prepared. Obviously, if you're remote, don't google for answers you don't know. We've read all of the first pages of google, wikipedia, and OWASP. We'll know if you're looking stuff up and it won't look good. It's ok to say you don't know.
Talking to a human and then another human!
If that interview goes well we'll schedule two more back to back interviews with two more of our Senior engineers which will be similar to the first one, but cover different aspect of the job. Please feel free to ask questions as we go along about the job, company or anything else. Each of these interviews will take one to two hours each as well, so we'll schedule it for a morning or an afternoon.
Internal Discussion and Deliberation
If you've made it to this point, your part is done (unless we've asked you to do a take-home coding question, which we sometimes do). Everybody that has interviewed you will get together and discuss all of your results, from the first questions, to your blog, to your last interviews. If you seem like you'll be a good fit we'll make you an offer as soon as we can.
I realize this seems like a lot of work to get a job, but hopefully it's all worth it in the end. Everybody, but the old timers, has gone through this process and it's created a great team of engineers who have earned the respect of each other and of whom we can rely on. By going through this process you know that you'll be surrounded by the best team in the industry.