Senior Offensive Security Engineer

THE TEAM

The team is comprised of our Defensive and Offensive Engineering teams alongside our Information Security Officers, whilst our CISO leads the operation. Our security team interact with the product and platform engineering teams across the company to promote best practices and awareness. They’re continually baking security into our culture, utilising new technologies and open-source tools to ensure high standards of security are maintained.

THE ROLE 

Form3’s Offensive Security Engineering division is becoming rapidly more sophisticated in their approach to security testing. This team is tasked with identifying vulnerabilities and continually improving our resilience from attackers from the attacker’s perspective. With a wide range of tools and technologies available to you this is your opportunity to help Form3 protect its most important assets and services. Below are some examples of projects the team is working on: 

• Penetration Testing the increasingly growing ecosystem of Form3.
• Conduct code reviews and security reviews of Form3’s Infrastructure (Cloud, Kubernetes).
• Participate in threat modelling sessions and help in vulnerability remediation.
• Maintaining and advocating the DevSecOps mindset we have created across the business.
• Creating new tools and methodologies to enable our team to deploy creative and effective threat assessments.
• Researching new security vulnerabilities, threats and exploits.

THE TECH 

• Infrastructure: AWS, GCP, Azure, Kubernetes (this will increase as we go cloudagnostic)
• Platform: CockroachDB, EKS, GKE, PostgresDB, Vault, Consul, Linkerd, Cilium, NATS
• Tools: Terraform, Github, Flux, Prometheus, Pact.io, TFSec, Travis CI
• Code: Go, (a little Java), CQRS, Open-Source, Python (Security tools)
• Ways of working: DevSecOps, GitOps, TDD/BDD, Pair Programming, 100% Remote

WHAT WE NEED FROM YOU AND WHY 

• Confidence within a DevSecOps environment, here at Form3 DevSecOps is our chosen methodology/ mindset so experience with automatic code analysis, IaC (Terraform preferably) security and CI/CD pipeline security reviews is critical here. This extends to having the ability to not only test but offer hands-on assistance in the remediation stages.
• In depth knowledge of Web Application penetration testing and experience with source code reviews. Manual penetration testing experience together with the ability to develop automated testing scripts.
• Experience in Cloud-Native/ Multi-Cloud offensive security engineering. Form3 is rapidly approaching it’s goal of becoming platform-agnostic, our OffSec team is tasked with offering business leaders a clear perception of the cloud threat landscape through extensive testing and research.
• Experience in Kubernetes and Container security reviews and exploitation. Running on a micro-service, distributed architecture, our OffSec team are challenged with finding and exploiting vulnerabilities and loopholes to ensure that our architecture is as secure and impenetrable as possible, networks and bare metal are included within this scope.

SPECIFIC DESIRABLES AND YOUR SPECIALISMS

• Strong programming skills, we are flexible on languages, we use Go as our main language for production so a willingness or interest to learn Go is fundamental. In security we write our own scripts for automation in Python, Go and other languages while contributing to open-source tools so we can utilise them.
• In-depth knowledge and capabilities using Linux and Unix technologies and how these can be used in the attack matrix to allow for privileged escalation and lateral movement.
• Active contribution to Open-Source projects and tools is highly encouraged at Form3 so prior interest in this is always welcomed.
• Keen interest in new and emerging threats, vulnerabilities and adversary advancements coupled with the ability to present these to the wider team.
• Qualifications: OSCP, OSWE, CCT App or Inf (or equivalent), CCSAS, CCSP, Cloud Specific Qualifications 

• 30 days holidays plus public holidays
• 100% remote work
• Flexible working arrangements
• Statutory benefits
• Health & wellness allowance
• Remote working equipment allowance
• Primary caregiver leave
• Learning days, Udemy and educational reimbursement etc.
• Mental Health support via Spill
• Perlego subscription
• Full details available on our careers page