Senior Offensive Security Engineer
Posted 1 month ago
SurveyMonkey (NASDAQ: SVMK) is a leading global survey software company on a mission to power the curious. The company’s People Powered Data platform empowers over 17 million active users to measure and understand feedback from employees, customers, website and app users, and the market. SurveyMonkey’s products, enterprise solutions and integrations enable 335,000+ organizations to solve daily challenges, from delivering better customer experiences to increasing employee retention. With SurveyMonkey, organizations around the world can transform feedback into business intelligence that drives growth and innovation.
SurveyMonkey is a place where the curious come to grow. By embedding inclusion into our processes, policies, and culture, we are building a workplace for our 1,000+ employees across North America, Europe, and APAC where people of every background can thrive. We’ve won multiple awards and received recognition for our forward-looking policies, including extended parental and bereavement leave, vendor benefits standards, and Take 4 sabbaticals. SurveyMonkey was recognized by Great Place to Work® and FORTUNE as a top workplace in 2018 and 2019, and the company has also won numerous awards as a leader in global survey software, including being named among CNBC’s Disruptor 50 and the Forbes Cloud 100.
Over the past two years we’ve become a public company and expanded our platform with enterprise-grade features in privacy, security and compliance, putting SurveyMonkey on the path to rapidly expand our presence within the Fortune 500. We have ambitious goals to grow our international footprint as well, and every member of our troop plays a critical role in driving this growth and transformation. It’s an incredible time to join the company and be a part of our next chapter!
Does SurveyMonkey speak to you? Do you want to be part of the team responsible for securing a fast-paced, distributed environment? Do you want to have an impact today, tomorrow, and for years to come? Then you’re probably just who we need to help us implement, operate, and improve interesting, secure, and scalable solutions. We’re a friendly bunch looking for a teammate to learn and grow with. If you're looking to be an integral part of our security and brand protection, let's chat!
The offensive security engineer is responsible for planning and executing tactical penetration testing and offensive security assessments against corporate assets and SurveyMonkey products. You will work with numerous internal stakeholders to plan and execute penetration tests, perform red/blue team activities, and prioritize remediations with engineering teams. You will also work with external stakeholders including penetration testers, security auditors and bug bounty researchers to prioritize and triage findings. As an offensive security engineer, you will be responsible for end to end execution including planning, reconnaissance, vulnerability identification and exploitation, detailed technical and executive reporting, technical remediation and tracking for closure.
- Perform adversarial simulations on both internet and internal assets, including but not limited to wireless, web application, API, cloud and containers
- Evaluate the efficacy of existing detection and mitigation mechanisms and identify gaps in visibility, data, tools, and processes
- Perform penetration testing against SurveyMonkey assets and implement tools that assist with execution of security assessments and red/blue teaming engagement
- Develop red/blue team exercises to ensure adequate logging and response capabilities
- Engage and educate engineering teams on penetration testing findings and application security best practices to help improve application security posture
- Review design proposals and threat models to ensure security is ‘built in’
- Exploit vulnerabilities, document and track findings and work with various teams to improve the security of both our products and the organization
- Develop clear, detailed reports and recommendations based on evidence from security assessments
- Work closely with development teams to mitigate or remediate security vulnerabilities
- Coordinate independent application and network penetration tests executed by external security firms
- Coordinate and triage critical bug bounty findings and work with security researchers and engineering teams to coordinate remediation plan
- Work with vulnerability management, product security and other security programs to align remediation efforts to protect SurveyMonkey from known threats
- Develop and maintain metrics demonstrating offensive security engagements and remediation tracking
- Manage and maintain DAST tool
- Develop, automate, and integrate various tools to create scalable offensive security operations and processes
- Experience performing web application penetration testing assessments
- Knowledge of server (Linux, Windows) and client (Windows, OS X, Linux) operating systems
- Knowledge and understanding of attack surfaces for applications, enterprise systems and services
- Experience in at least one of PHP, Python, Ruby, or Java
- 5+ years of experience conducting application security assessments and penetration tests
- Experience with bug bounty programs
- Able to take on new opportunities and tough challenges with a sense of urgency, high energy and enthusiasm
- Experience gaining the confidence and trust of others through honestly, integrity, and authenticity
- Take a broad view when approaching issues, using a global lens
Nice to Haves
- Knowledge of AWS, dockers and Kubernetes
- Prior experience running or developing an offensive security program
- Security certifications (e.g., OSCP, GPEN, GCIH, GWAPT, etc.)
At SurveyMonkey, we offer competitive salaries, medical/dental benefits, PTO, 401k, paid holidays and parental leave, and equity compensation
SurveyMonkey is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees.