Security Engineer

Key Qualifications

• 8+ years of experience in web application security, SSDLC, Threat Modeling
• Experience implementing, running and maintaining tools and/or processes to reliably identify security issues such as SQLi, XSS, CSRF, and business logic flaws across large code bases (SAST, DAST, PenTesting, Security Unit Testing, etc.)
• Ability to triage, reproduce, recommend remediations and implement fixes for vulnerabilities
• Passion for understanding and researching vulnerabilities and exploitation techniques
• Knowledge of development and integration tools and technologies (e.g. CI/CD)
• Knowledge of test automation frameworks and how they can be brought to bear for security QE
• Practical knowledge of applied cryptography and common attacks against modern cryptographic algorithms (encryption at rest, TLS, hashing, etc)
• Ability to work in a self directed environment that is highly collaborative and cross functional
• Educate application developers to enhance quality of security in the code
• Programming experience with Java web application & Python
• Knowledgeable regarding backend security topics such as secret management and service authentication
• Perform penetration tests and coordinate third-party vendor Pen Tests
• Rating the severity of defects and publishing comprehensive reports detailing associated risks and mitigations

Who you are

• Innate curiosity and ability to learn. Individuals should be confident in picking up new technologies and pivoting when the role requires, given the fast-paced agile development environment we support.
• Critical thinking and troubleshooting are paramount. Practical, creative solutions to difficult problems are key.
• Passion for security. We’re looking for people who genuinely care about working to create a secure product with modern, agile facing practices.

You are an ideal candidate if you have

• B.S. Computer Science or similar combination of education and experience
• Deep software development experience (Java, iOS and Android APIs, Web, Python)
• Good communication skills
• Have an excellent working knowledge and ability to educate others on common vulnerability types, including SQL/command injection, XSS, CSRF, and SSRF
• Have experience in web, database, information and/or infrastructure security
• Know and love learning about the latest security tools, infrastructure, and industry best practices
• Enjoy working across and being a resource for other engineers and sharing your knowledge of secure coding practices
• Experience in authentication and authorization: SAML, OAuth, LDAP, AD, etc
• Sound understanding of app security vulnerabilities, defense techniques and security best practices, including language-specific security measures and present-day threats
• Deep security subject matter expertise in at least one major public cloud provider (AWS, GCP, Azure) 
• Experience with deploying and securing SaaS applications and cloud environments at scale
• Working experience with CI/CD pipeline, containerization (Kubernetes, Docker, etc) and MicroServices
• Coordinating bug bounty (VRP) programs and assisting with remediation

Responsibilities

• Develop a broad and deep technical understanding of products, services and architectures.
• Leverage this understanding to conduct architecture reviews, threat modelling and code reviews on web applications, mobile applications and other relevant services.
• Work with developers to refine security checkpoints in Development cycle that are based on industry-accepted security standards and represent Security Platform in development at various stages of SDLC.
• Interpret security tools and penetration testing results to stakeholders, providing advice on vulnerability remediation and risk mitigation.
• Create relevant documentation and metrics to your stakeholders and business leaders and deliver these in a clear, concise manner.
• Research and maintain proficiency in attacker Tools, Techniques, Procedures and other security topics.
• Propose and develop training materials to help raise the security bar across the organization.
• Develop innovative and scalable tools, solutions, and processes to enhance product security operations.