Senior Penetration Tester - Web Applications

Join a leading fintech company that’s democratizing finance for all.

Robinhood was founded on a simple idea: that our financial markets should be accessible to all. With customers at the heart of our decisions, Robinhood is lowering barriers and providing greater access to financial information. Together, we are building products and services that help create a financial system everyone can participate in.

As we continue to build...

We’re seeking curious thinkers looking to co-author the next chapters of our story. Joining now means helping shape our vision, structures and systems; playing a key-role as we launch into our ambitious future.

Check out life at Robinhood on The Muse!

About the team:

Robinhood is looking for a Senior Penetration Tester who is passionate about breaking and fixing applications, services and processes to join the Robinhood Pentest Team.

The pentest team is part of the larger Offensive Security team and is a core pillar of Security & Privacy Engineering. The pentest team will work with teams across Robinhood to ensure our products, services, and processes are secure through threat modeling, automated & manual penetration testing, and tracking remediations of identified vulnerabilities.

Here are some examples of things our team does frequently that you’ll be heavily involved with:

• Perform threat modeling against critical and new services. Articulate the actual security risk to Risk working groups.
• Validation of critical/high vulnerabilities surfaced via vulnerability automation tooling.
• Perform application assessments, internal and external penetration testing focusing not just on network and application level vulnerabilities but fully understanding what risk to Robinhood the vulnerabilities pose especially as they relate to business logic and fraud opportunities.
• Triage Bug Bounty reports and interact with Bug Bounty Researchers
• Conduct vulnerability research to understand latest TTPs and exploits.
• Conduct vulnerability research into futures technologies robinhood may deploy 
• Fixing issues and leaving things better than they found them and not just finding broken things.

What you’ll do day-to-day:

• Perform application security penetration tests to include source code reviews (Golang/Python). This will be your primary role.
• Triage Bug Bounty reports as part of the Bug Bounty on call rotation.
• Perform threat modeling against critical and new services. Articulate the actual security risk to risk working groups
• Use, configure, and write automation to identify and validate vulnerabilities surfaced via vulnerability automation tooling
• Perform internal and external penetration, code reviews, and design/architecture reviews testing focusing not just on network and application level vulnerabilities but fully understanding and articulating what risk to Robinhood the vulnerabilities pose especially as they relate to business logic and fraud.
• Work closely with development teams to mitigate or remediate security vulnerabilities preferably by submitting Pull Requests (PRs) with the code to remediate the identified vulnerabilities
• Build or suggest detection and monitoring for attacks on the application or infrastructure
• Conduct vulnerability research to understand latest TTPs and exploits
• Conduct vulnerability research into future technologies Robinhood may deploy 
• Publish blog posts and present talks at security conferences
• Be a technical advocate for privacy and security decisions, designs, and discussions
• Make recommendations for organization-wide system improvements, optimization and/or maintenance efforts and engages with stakeholders to remediate vulnerabilities and risks when required

About you:

• 3-5+ years of experience as a Penetration Tester, Security Researcher, or Security Engineer
• Can perform source code review of Golang and Python
• Strong foundation in computer and network security, authentication, security protocols and applied cryptography
• Experience in web app security, vulnerability research, and penetration testing
• Knowledge of network-based and system-level attacks and mitigation methods
• Familiarity with at least some of the following: Python, Go, bash
• Familiarity with log formats and intrusion detection systems for Linux based systems
• Familiarity with common network protocols and standards such as DNS and TCP/IP
• Experience with attacking cloud based environments, software development technologies, devops tooling, and web applications
• Familiarity and experience with AWS, GCP and other cloud providers and best practices for securing cloud infrastructure
• Experience with containers and container orchestration systems such as Docker and Kubernetes. 
• Ability to research and execute a testing plan to assess a new technology or process
• Excellent written and verbal communication skills and ability to communicate your findings at both high and technical levels
• Demonstrated experience performing penetration testing on a remote team
• Proficiency to communicate over a text-based medium (Slack, JIRA Issues,  GitHub issues, & Email) and can succinctly document technical details

Bonus points:

• Experience in the Financial Technology domain
• Passion and demonstrated experience for challenging security assumptions
• Passion for fixing security issues and not just identifying security issues

CO Residents: In Colorado, the base pay for this position ranges from $169000 to $224000. This role is also eligible for an annual discretionary bonus and participation in Robinhood’s equity plan.

We’re looking for more growth-minded and collaborative people to be a part of our journey in democratizing finance for all. If you’re ready to give 100% in helping us achieve our mission—we’d love to have you apply even if you feel unsure about whether you meet every single requirement in this posting. At Robinhood, we're looking for people invigorated by our mission, values, and drive to change the world, not just those who simply check off all the boxes.

Robinhood promotes diversity and provides equal opportunity for all applicants and employees. We are dedicated to building a company that represents a variety of backgrounds, perspectives, and skills. We believe that the more inclusive we are, the better our work (and work environment) will be for everyone. Additionally, Robinhood provides reasonable accommodations for candidates on request and respects applicants' privacy rights. To review Robinhood's Privacy Policy please visit Robinhood - US Applicant Privacy Policy.

Click here to learn more about Robinhood’s Benefits.

Robinhood is a primarily remote company. If hired, you will work as a remote employee unless the job you are applying for has a different working model specified. Please reach-out  to your recruiter if you have any questions regarding the job’s working model.