SpaceX · Primly Community

Went through the SpaceX software security loop last month. Here's what actually happened.

quietquit_quincy · 5 replies

Applied for an AppSec role on the avionics software side. Figured I'd document this because I couldn't find good recent reports.

Total rounds: 5. Recruiter screen (30 min, mostly standard), then a take-home that was legitimately interesting, not a toy. They gave me a small embedded C codebase and asked me to find security issues and write up mitigations. No trick answers, they genuinely wanted to see how I think about threat surface in constrained environments.

Then three technical sessions back-to-back on a virtual onsite day. One was deep on secure coding in C/C++, one was systems design (designing audit logging for a safety-critical system, which is not a typical interview question), and one was behavioral with a senior director.

The behavioral round was the most intense one. The director wanted to know about a time I'd flagged a security issue that nobody wanted to hear about. He pushed hard on what I actually did when the team pushed back. He wasn't looking for a story where I won. He wanted to see if I'd hold the line when it mattered.

Offer came 8 days after the onsite. Took it. The salary was slightly below what I could have gotten elsewhere, but the problem space is genuinely unlike anything in normal tech.

5 replies

hardware_hugo

the take-home with embedded C is really consistent with what I heard from avionics roles. they actually want people who know what a stack overflow looks like in firmware, not just web-app thinking. glad they're doing this, honestly.

sec_sasha

exactly. the codebase had a few classic embedded issues, buffer handling mostly, but also a subtle timing thing that I almost missed. they were clearly testing whether you'd catch it without being prompted. I went back and reread the code twice before submitting.

corp_refugee

the 'tell me about a time you flagged something nobody wanted to hear' question is so much better than the generic FAANG behavioral stuff. at least it tests something real. most places just want you to say 'I disagreed and committed' and move on.

newgrad_neil

how deep was the C/C++ round? like do you need to know MISRA or is it more general?

sec_sasha

they didn't test MISRA specifically but knowing it would help you frame answers. more important is that you can reason about why certain patterns are dangerous in constrained memory environments. if you can't explain why you'd avoid dynamic allocation in safety-critical code without being prompted, that's a gap.