Monday, July 07, 2008

Web Security Specialist ~ Tenacious Hunter Needed

We're hiring, especially those want to hack into websites for a living. That's right, paid to hack. If you don't know how, that's OK because we're ready to train. If you or someone you know might be interested in the opportunity, fill out the form on the job listing page. Note: you must reside in the S.F. Bay Area or willing to relocate.

"WhiteHat Security has an amazing opportunity for the creative person itching to take a crack at poking holes in websites while on the prowl for gaping security vulnerabilities. In this role you will have access to thousands – yes, thousands – of well-known websites. Your job will be to actively root through them looking for all the ways a blackhat might use to break into a site. In this role you will master the basics of web application security and secure software engineering and learn what it takes to become a skilled hacker--an incredible launching pad for your career in the web application security industry."

29 comments:

Alexander Berezhnoy said...

I guess, you hardly consider candidates from Russia, right? :)

Kyran said...

I don't have a passport, so if you can wait 2-4 months, I'm there!

Jeremiah Grossman said...

@Alexander, nah.. everyone must be here onsite.

@kryan, the position is never "closed", we are always in need of more as that groups will be constantly growing to fill the demand.

Kyran said...

Well then, I'll talk to you later! :D

Awesome AnDrEw said...

I would need to relocate there, but finally a decent opportunity for work.

Jeremiah Grossman said...

from where?

It is a good opportunity. A rather large group that does nothing but hack websites and figure out cool new ways to do so.

Robert said...

That would sure beat my current job with a stick. I wish I was closer.... :(

Awesome AnDrEw said...

Jeremiah, is there a better way to contact you about these positions? I would be willing to relocate for an opportunity like this, and have realized for quite some time that in order to actually obtain a career in penetration testing and software security architecture I would most likely have to move out to California anyhow being as there are slightly limited I.T./I.S. jobs available on the Eastern half of the U.S. (as far as auditing goes). I'm interested to know all of the details about it.

Jeremiah Grossman said...

Sure, just email me directly.

Anonymous said...

I've been doing web application assessments for a long time. What I find difficult to grasp, as I seek employment elsewhere, is that so many companies still require on-site-only staff. Being a "virtual employee" or "telecommuter" for 5 years makes a jump from this lifestyle back into "The Office" lifestyle a bit of a challenge. Although there has been a lot of talk, recently, about a renewed push for remote employee programs.

Too bad you don't have options for remote employees. I know a good chunk of a whole team that's ready to leave.

Jeremiah Grossman said...

None of our operations team travels, as we're not consultants. At some point we plan open up more geographically distributed offices for our ops team to extend the clock. However, since our customer-base is U.S. centric, we really haven't needed to thus far. Right now we focus on making sure our technology, people, and process are perfect, then replicate elsewhere.

Anonymous said...

When I say "on-site" I'm talking about being away from my home office and at your office. Not that of clients in a consultant scenario. Anytime I'm not in my office (which is located approximately 10 feet from my bedroom) I'm "on-site". :)

Oddly enough, we had this identical conversation with another well known app testing shop. Adding to the oddity of being able to test with music thumping at any time of day or night (client testing window not withstanding) and wearing dayglo-boxers 4 days in a row while the family is out of town, the "bunny slippers crew" now refers to any work not in our humble home offices as "on-site". :)

Or perhaps I've misunderstood you completely? Suffice it to say that if there was an opportunity to work without the requirement of traveling to an office on a daily basis, I know of a number of people looking.

Jeremiah Grossman said...

I see what you are saying. OK, well, I can only tell you how we do it. Everyone comes into the office and works in coordinated teams. Clients are all remote to us. Yah, I know a lot of people are looking for similar roles, but our requirements are quite stringent and particular.

Robert said...

Jeremiah, besides read read read and tinker and break it and tinker and read. What advice do you give to someone looking to get out of network support and into the security side of things.
Is a 4 year degree really something companies look for? (I mean I realize any company that even looks remotely interesting and challenging to work for "suggest" or requires a 4 year degree or higher)Does experience, talent and a 2 year degree get any respect?
As someone looking for employees, and taking the opportunity to "advertise" it to readers of his blog, I am curious. Your wording of this blog post and the wording of the recruiting site are very different.
Signed,

Trying to "hack" his way into the security industry.

*Hack as in make it work the way you want or with what you have ;)

Jeremiah Grossman said...

Well, I can't speak for all employers in this space, and while degrees and certifications are interesting to us, its not high on our must-have scale.

Our needs are very particular and we don't expect to find the skill set in the bulk of our candidates, so we have to train them up in the space and our processes. What we look for more than anything is a demonstration of passion, personal initiation, and a highly analytical mindset. These are the things we can't train.

So as far as breaking into the industry goes, my advice is get to know as many people as you can and get involved with community projects. Few things demonstrate ones capabilities better.

Hope that helps.

Robert said...

Excellent advice.
Working there sounds like a great learning experience, I'm jealous!
Thanks for taking the time to reply!

Anonymous said...

Jeremiah,
I listen to pauldotcom and a bunch of other security podcasts and your name gets mentioned a lot. Anyway what community projects can be contributed to in order to break into the security industry? I am a Unix sys admin by profession.... just like you used to be.

Keep up the good work.

Jeremiah Grossman said...

It feels good to be well thought of. Both WASC and OWASP have several projects that anyone can freely contribute to.

http://www.webappsec.org/projects/

For your skill set you might consider the following...

Distributed Open Proxy Honeypots
Web Application Firewall Evaluation Criteria

No need to be a webappsec or coding expert here. Obviously these are just ideas and I'd highly recommend contributing to the project you'd think you'd enjoy being a part of.

Anonymous said...

Jeremiah:

I think you're totally missing the point of the questions about working from home versus moving to the Bay.

There are absolutely TONS of brilliant people who you guys are missing out on because of this archaic and outmoded idea that somehow people are more productive in an office rather than working from home, and working from anywhere in the world.

This is a high tech industry... Even in the same office, most people communicate via IM, mail, phone, and a million other methods.

Why do so many companies, especially in the Bay Area, seem to expect people to work like they were living in the 1950s?

I'd love to work for you guys and would kick ass at the job, but I'll stick with my current employer who understands performance-based-management and a distributed remote workforce.

Jeremiah Grossman said...

@anonymous, please don't assume that you understand our particular operating business requirements better than we do. We have very good reasons for doing the things the way we do, not the least of which is data security precautions. Our methods served us and more importantly our customers very well. We are not consultants and our model is completely different than the telecommuting model you may be envisioning. For many people the environment is simply not a good fit, but that's OK, timing as they say is everything.

Anonymous said...

@jeremiah

My apologies... This is big gripe of mine and my frustration with other companies besides yours is coming thru.

I will hold my ground though. I will bet that you could get better talent and deliver more value to your customers if you were willing to look at remote workers.

This does not just apply to consulting, many companies and even the US Government have adopted the model.

http://www.businessweek.com/magazine/content/06_50/b4013001.htm

http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0787960365.html

</soapbox>

Jeremiah Grossman said...

Hey, that sounds fair and fundamentally I agree with you. I mean its not like WH is culturally against a remote work force. We have many people who telecommute extensively, sales people and such. Developers as well from time to time. Its just our operations department is very special and important to us. As an indication I personally feet away from to make sure things are running smoothly. For that sense of personal assurance,I'll pay the (inefficient) premium.

Thanks for the links!

Anonymous said...

Hi,
is this position open for European candidates willing to relocate but who don't currently have a green card / visa ?

Anonymous said...

Jeremiah Grossman.. I've recently graduated with a computer science degree and am looking to get my foot in the door in web application development. My focus is php,javascript,mysql tpe stuff. I think web application security would be a very important thing to have in addition to the programming side. I'm just curious do you think this type of position would steer a programmer away from his field? Would you qualify this position in the Quality Assurance area? I have done so much programming it be a shame to loose those skills by not using them. Just wanted your opinion.

Jeremiah Grossman said...

Hello, I think it really comes down what exactly you want to do. Programmers with security background/training tend to be at least slightly more marketable because they basically have more experience. If you are straight out of school, you could find a decent progamming position where you can apply and hone your skills. Then start personal research into secure programming and just maybe your employer will pay for specialized training. If not, then you have to do it on your own. Either way the best way to demonstrate your skills is be projects, either on the job or those that are public / open source. That says a lot about a persons capabilities beyond a resume.

Hope this helps.

Anonymous said...

Hi Jeremiah,

Would you consider an Australian candidate wiling to relocate to USA.

(I understand this post is 2-3 months old and position might not be open anymore)

Jeremiah Grossman said...

Provided you can work legally in the U.S., yes we would likely consider it. And these position are always open.

Anonymous said...

Thanks for your reply Jeremiah. I would require an E3 visa which is similar to canadian TN visa (easily acquirable-matter of 7-10 days). Would that be an issue?

Jeremiah Grossman said...

That I do not know, best to email us directly and go from there.