You could pick a startup to do security work for. Or you could join our team and work for lots of startups, all at once. Latacora runs whole security teams for startups. We're a weird kind of consultancy: we have only one kind of client, and we work full-time with them for 6-18 months, doing everything every startup security team does, from software security to cryptography design to AWS and container lockdown.
Our team has been doing security work together since 2005. And for almost as long, we've been hiring people who read these kinds of HN comments, in our own weird way. We don't care about resumes or your previous work experience. We don't care how much security work you've done before. All we care about is whether you're interested in, engaged with, can lock in on our kinds of technical problems: finding security gaps and flaws, fixing them, and building software to mechanize the process.
We're just starting to ramp up hiring and I'm a bit of a mess with it, but our process is better than it ever was at Matasano. No phone screens. We'll prep you for our hiring challenges, and give you a practice challenge to mess with. We're good at this. If you're interested in doing security work, and you can code, you can't waste my time.
Too complex. Partially legal, partially because that's not where our customers are. Since we're so embedded with our customers over an extended period of time, there's more reason for them to be squeamish about data leaving the US, non-US workers, that sort of thing.
If the EU turns out to be a serious market opportunity and we grow a ton I'm sure we'll revisit that at some point.
Random unsolicited internet advice: never decide not to apply because you don't feel good enough. We all experience imposter syndrome, and most job postings are just wishlists of unrealistic qualifications copy-pasted by HR anyway (this posting excepted!).
In general, don't disqualify yourself. That's the hiring manager's job. Your job is to qualify yourself: present your best self, and demonstrate professional confidence and competence.
Yeah, good point. if anything, my experience looking at this from the inside is that the bar that is set is much lower than it seems from the job postings.
What does "cryptography design" mean in the context of a startup? Surely most CRUD startups aren't rolling anything close to low level crypto, and in most cases it'd be ill-advised to do so.
I would be curious to know about the currently salaries. More than a year back I spend some some on the Matasano challenges, I think I did about half of them, I also read through half of 'Web Application Hacker's Handbook' which was sent to me. When I was at that stage,it occurred to me that I should ask about the salary, and I did that while talking to one of pen testers at Matasano. It was about $150k for the city of New York. This was not sufficient incentive to leave my job, the figure even seemed lower than what I earned if adjusted for cost of living.
I guess I don't know a lot about NYC living costs but $150k for what seems to be an entry level position seems generous to me. Even allowing $3k a month for a one bedroom apartment, that's over 70k in after tax income for other expenses. It's more disposable income that I have now as a senior developer working remotely, though granted my pay isn't great. Plus the position listed is also remote.
Perhaps I should rephrase my question and overall context, I think. I'm a developer with about 15+ years of experience. At the time I used to earn about $110K in a no tax state. What incentive would be there for someone like me to switch jobs unless they the pay is more than what I earn? I certainly don't mind taking a cut in my pay temporarily. But say within a year I expect to be making much more than what I currently earn.
Now while I agree with you that $150 may seem generous for an entry level position, a seasoned developer starting at an entry level crypto position already know a fair number of things that will help him significantly in his crypto job, and cannot be quite considered entry level.
I view having the developer skills as more of a prereq for the job and not really a bonus, but that's just my inexperienced opinion. All I know is that I'd be plenty happy with $150k working remotely, I'm currently making about half that as a full stack dev remotely.
The incentive for me would be that I'd vastly prefer a security job over making CRUD web apps all day. So I'd take the job even at a pay loss.
You don't need a visa to work remotely for a US company if you're doing the work while in Canada (I have a couple Canadians on my team).
Really, it just comes down to payroll, insurance and benefits... that's where the complexity is. Taxes are easy, you pay income tax as usual in Canada under the reciprocal tax treaty (taxes are the government's main concern around working in another country).
In this case, that would get complicated since they want you to be in Chicago sometimes. So, they'd need to figure out the payroll, insurance and benefits and you'd have to get an E1 visa. An E1 "trader" visa lets you work onsite in the US (but you can't live here). An E1 visa can be arranged for about $6000 CDN.
Not sure why the downvotes. I've had a few different US Visas, a work authorization card, a green card, and I have Canadians working on my team now. I know how this all works and if you have any questions I'd be happy to help you figure it out.
Another Canadian in Toronto. Its not hard for US companies to work with remote Canadians but there is a perception that taxes, payroll, insurance is hard when its not. Its frustrating because the US dollar has more buying power so they can get higher quality developers at a lower rate.
are people that completed about half the microcorruption ctf a decent fit for your company or is it more of the people that finished the entire thing without breaking a sweat kind of thing?
wow, this is like the best recruiting ad I ever seen. I don't know much about security but I'm taking the AWS Sysops in 10 days. I applied because I'm curious about the challenge.
This kind of company should be a finishing school for people interested in security and anyone interested in doing a startup as a technical founder.
It would be additional overhead, but something on the internship->residency->training program spectrum could help the whole startup ecosystem.
Something akin to the Google Brain residency. It would act as a hiring pipeline for the company (as well as good PR and rep building) and a unique opportunity for participants.
There is no better experience than doing, and if you can work on several real-life systems over a fixed period of time with experts at your back ... well that's about as appealing as it gets.
You could pick a startup to do security work for. Or you could join our team and work for lots of startups, all at once. Latacora runs whole security teams for startups. We're a weird kind of consultancy: we have only one kind of client, and we work full-time with them for 6-18 months, doing everything every startup security team does, from software security to cryptography design to AWS and container lockdown.
Our team has been doing security work together since 2005. And for almost as long, we've been hiring people who read these kinds of HN comments, in our own weird way. We don't care about resumes or your previous work experience. We don't care how much security work you've done before. All we care about is whether you're interested in, engaged with, can lock in on our kinds of technical problems: finding security gaps and flaws, fixing them, and building software to mechanize the process.
More than you could want to know about our hiring process: https://latacora.com/careers
We're just starting to ramp up hiring and I'm a bit of a mess with it, but our process is better than it ever was at Matasano. No phone screens. We'll prep you for our hiring challenges, and give you a practice challenge to mess with. We're good at this. If you're interested in doing security work, and you can code, you can't waste my time.
jobs@latacora.com