Senior Penetration Tester

Do you ever wonder what happens inside the cloud?

DigitalOcean (NYSE: DOCN) simplifies cloud computing so builders can spend more time creating software that changes the world. With our mission-critical infrastructure and fully managed offerings, DigitalOcean enables startups and small and medium-sized businesses (SMBs) to rapidly deploy and scale modern applications. As a remote-first organization, our employees, like our customers, are based around the world.

We want people who are passionate about making the internet a safer place for everyone.

We’re looking for a Senior Penetration Tester to lead an internal ethical hacking function that works collaboratively alongside engineering teams to uncover vulnerabilities and weaknesses in the enterprise and consumer product environments. We believe that finding an issue is only the beginning of our work; we value cross-team coalitions and collaboration with the business to find reasonable remediations and view this post-engagement collaboration as crucial to success. Your work will make our million+ customers more secure and will help ensure that DigitalOcean is a respected contributor to the broader security community.

As a member of the Security Engineering team, you will report to the Senior Manager of Product Security. You will collaborate with other security teams and the rest of DigitalOcean to plan, coordinate, execute, and report on sophisticated ethical hacking exercises, to identify software, network, and systems vulnerabilities, and reduce the risk posture of DigitalOcean’s systems. You will also be a primary driver of our vulnerability management program, leveraging your expertise to assess contextual impact from both your engagements and other internal and external sources. You will act as a primary point of contact with security researchers in our bug bounty program. Security at DO means solving incredibly complex problems at a high-scale that have real impact for our customers, our products, and for the larger internet community.

What you’ll be doing:

Perform penetration testing engagements and find vulnerabilities in software, systems, and networks (55%)

• Develop tools, methodologies, and infrastructure to support penetration testing engagements
• Set scope, objectives, and timelines for penetration testing engagements and leverage data to create useful metrics
• Work with security and engineering teams to communicate findings, collaborate on recommendations, and inform key stakeholders
• Provide holistic assessments of security layers across infrastructure, application, people, and process

Lead our bug bounty and vulnerability management programs (35%)

• Act as the primary point of contact to security researchers engaged in our bug bounty program
• Assess and triage new vulnerabilities to the vulnerability management program to determine contextual impact to the business
• Educate security and engineering teams on topical vulnerability patterns, in coordination with teams such as fraud & abuse and threat intelligence

Cultivate and promote a security culture (10%)

• Champion an internal security culture (developer training, internal CTFs, etc.)
• Help DigitalOcean engineers understand how security events impact them. How does Retbleed impact DigitalOcean’s fleet? How should the company respond to the next xz-style backdoor?

There’s no coding expectation in this role beyond scripting common pentest tools, but if interested you will have the opportunity to collaborate with our wider Security Engineering team on creating paved roads and secure defaults, amongst other projects.

What we’ll expect from you:

Required qualifications:

• 5+ years minimum, of job related experience pen testing web application and network services
• Expert understanding of software security architecture and design, threat modeling, and mitigations for common application security issues
• Ability to find and exploit security flaws in several of:
• Go, React, GraphQL, PHP, and Python
• Kubernetes and cloud environments
• Memory and process isolation, e.g., kvm, gvisor, kata, namespaces, cgroups
• Network protocols, e.g., BGP, Open VSwitch, BPF
• A record of partnering with internal engineering teams to tackle security problems across an entire stack with empathy and creativity. Engineering teams are our partners, not our adversaries

Preferred qualifications:

• 2+ years minimum, of job related experience pen testing services deployed in public cloud infrastructure
• Familiarity with a variety of vulnerability and risk assessment frameworks, such as CWSS, FAIR, and SSVC
• Familiarity with various threat modeling concepts and frameworks, such as PASTA, DREAD, and STRIDE
• Contributions to the security community, such as open source tools, research papers, or conference talks
• While not required or expected, please highlight if you have any GIAC, eLearning, or similar certifications relevant to web, network, and systems penetration testing (OSCP, eCPPT, GPEN, BSCP, etc.)

Why You’ll Like Working for DigitalOcean:

• We reward our employees. The salary range for this position is based on relevant years of experience and skills. Employees may qualify for a bonus in addition to base salary; bonus amounts are determined based on company and individual performance. We also provide equity compensation to eligible employees including grants of equity upon hire and the option to participate in our Employee Stock Purchase Program.
• We value development. You will work with some of the smartest and most interesting people in the industry. We are a high-performance organization that is always challenging our teams and employees to continuously grow. We maintain a growth mindset in everything we do and invest deeply in employee development through formalized mentorship and other internal programs. We provide all employees with reimbursement for relevant conferences, training, and education.
• We care about your well-being. In addition to cash and equity compensation, we also offer employees a competitive array of benefits. In the United States, these include health insurance, flexible vacation, retirement benefits, a generous parental leave program, and additional resources to support employees' overall well-being. While the philosophy around our benefits is the same worldwide, specific benefits may vary in other countries due to local regulations and preferences.
• We value diversity and inclusivity. We are an equal opportunity employer and we do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.

*This is a remote role

#LI-Remote