February - The shortest month of the year, and one of the coldest (maybe not so much in our Sunnyvale, CA location). That month every year when we set aside some time to show appreciation for our loved ones through gifts, greeting cards, dinner dates, flowers, and a well considered application security posture.
Maybe that last one isn't on everyone's minds, but it is here at Matasano Security. In many environments, while application security is desirable, it generally isn't a primary requirement. Applications need to perform their core purpose, whatever that may be, so they can aid business by driving revenue. The conflicting priorities can lead developers to make poor design decisions, rush implementations, and spend less time considering attack scenarios than would be ideal. This isn't their fault! It's a function of conflicting priorities and focusing on those which are most tangible, and most measure.
At Matasano this balance is different. Application security is our passion, and our goal is to fill the unmet needs our clients have to strengthen their posture. Our singular focus on security helps us maintain an aptitude and laser guided precision that's far above the mean. We truly enjoy combing through code, reviewing the flow of information into and out of an application, and finding places where malicious actors can leverage vulnerabilities to their advantage. We love our clients, but it's not the sort of love you'll read about on little candy hearts. We tell them the truth about their security, not just rosy platitudes.
Sometimes this can mean delivering bad news when we're able to totally compromise an application and execute our own code on its server. Other times it means explaining that when the server asks the client to identify itself, the client can just lie. Often it means explaining that their homegrown encryption scheme is no more unintelligible than Pig Latin. But with this bad news comes some assistance and guidance to help them prioritize improvements and strengthen their products.
This sort of work requires a very particular set of skills. A strong Application Security Consultant needs to deeply understand programming and application design. They require a foundation in the common application vulnerabilities, exploitation techniques, and mitigations. But more than this they need to be creative and able to maintain multiple perspectives simultaneously to find places where those perspectives are in conflict. They need to quickly learn and teach themselves, their peers, and their clients. Above all, they need to be able to communicate well and provide actionable advice to our clients.
If you want to see more about the sorts of things we do and love, here's some resources;
Our blog - http://chargen.matasano.com
The Matasano Crypto Challenges - http://cryptopals.com
Microcorruption, Embedded Security CTF - http://microcorruption.com
If you think you have what we need, or just want to learn more about us, visit http://matasano.com/careers or contact us via firstname.lastname@example.org.