[andrew-d]

For what it's worth, that's a fair concern. I offer two things that make it not quite as bad as you may think, though :-)

1. We don't expect applicants to be amazing at this already. Having a background in security is good, of course, but not necessary. As a data point: in the office I work out of, we have someone who used to work in a bakery, someone who worked for an insurance company, and several people who had never done security before applying to Matasano. It's my opinion that you generally learn more "on the job", as it were, than you would preparing for an interview anyway. @tptacek's post at [0] is a good example of the type of people we have working for us.

2. We generally send candidates resources to help them prepare - I believe a couple recent applicants got free copies of "The Web Application Hacker's Handbook" [1].

[0]: https://news.ycombinator.com/item?id=8395627

[1]: http://www.amazon.com/The-Web-Application-Hackers-Handbook/d...

[fsk]

Any interview process that requires a substantial time investment by the candidate pre-interview is broken.

Why would I spend some time learning the security niche just for one interview? I could instead work on Android development, Python, Scala, or a whole bunch of other things. Those would be useful for many jobs, and not just 1-3 employers.

Why is putting in a lot of time researching security for your interview a better use of my time than learning more widely applicable skills?

What if I put in all the time, pass the pre-screening, and then when I meet you, it turns out you aren't the type of people I'd want to work with?

[infinite8s]

It's pretty simple, then - don't apply there.

[jjarmoc]

> Any interview process that requires a substantial time investment by the candidate pre-interview is broken.

I disagree, but accept that this depends largely on the desired outcomes. If the candidates goal is to spray-and-pray by applying at dozens of companies and hoping one makes them an offer they can accept, I'll grant that requiring more time may be a hindrance. If, however, the candidate's goal is to learn something, improve their skills, and demonstrate to the potential employer that they're capable of doing this on a short time cycle, they may welcome the opportunity, and many have.

> Why would I spend some time learning the security niche just for one interview? I could instead work on Android development, Python, Scala, or a whole bunch of other things. Those would be useful for many jobs, and not just 1-3 employers.

Because you want to work in security generally, and for us specifically? I fully accept that not everyone shares career goals which align with our needs, and encourage them to pursue other avenues. If you're dream in life is to be a broadway actor, we're unlikely to be able to help. That doesn't make this goal less important to you or valuable to the world at large, it just differs from what we do and offer.

That said, if you think that security skills (and web app security specifically, which is the typical path for those learning for the interview) are relevant only to "1-3 employers" I fear you drastically underestimate the size of the market both within security consultancies and enterprises that have a security team (or just appreciate security-minded developers).

> Why is putting in a lot of time researching security for your interview a better use of my time than learning more widely applicable skills?

It may not be. There's a lot of paths to self improvement, and their suitability to a specific individual will vary, depending on that individuals goals, desires, and learning style. I don't think anyone is trying to prescribe 'the one true path to self improvement' but rather one that we've found to work, and one that we help our candidates advanced down.

> What if I put in all the time, pass the pre-screening, and then when I meet you, it turns out you aren't the type of people I'd want to work with?

Then we shake hands and each go our own ways, hopefully having learned something about each other and ourselves in the process. Maybe we've made contacts that'll be mutually valuable in the future whether it be for future employment, a business relationship, or simply someone to chat with at some developer meetup, conference, etc. and bounce ideas off of. Choosing not to continue a relationship is a perfectly viable outcome of any interview process.