Application Security Engineer
Palo Alto, CA | San Francisco, CA
DFINITY is reimagining the Internet as a public network that hosts secure software and services. The Internet Computer is a new technology stack that is unhackable, fast, scales to billions of users around the world, and supports a new kind of autonomous software that promises to reverse Big Tech’s monopolization of the internet. DFINITY was founded in 2016 by Dominic Williams and is backed by top-tier institutions including Polychain Capital and Andreessen Horowitz.
Applications Security - Responsible for the establishment and maintenance of software assurance practices within DFINITY that allow continuous delivery of secure embedded systems and applications.
She or he will be responsible for using their advanced knowledge of systems security engineering along with continuous delivery processes and tools to take ownership and successfully enable delivery of secure products through repeatable and automated mechanisms.
In this key position, the Application Security role will…
- Provide design and best practices in building secure DFINITY Infrastructure
- Execute audit against distributed system, including CI/CD, staging and production environments (when Production is ready)
- Develop security tools e.g. automating key rotations, auto-recovery
- Be a security ambassador for the Infra, IT and datacenter teams
- Creates DFINITY bug bounty program i.e. (bugcrowd, hackerone, etc.)
- Manage and support 3rd party and internal pen test teams i.e. (NCC Group, Bishopfox, etc.)
- Conduct and manage testing and whitehat efforts
- Engage in hands-on, in-depth analysis, review, and design of the software, including technical review and analysis of source code with a security perspective. Will include reviews of in-house developed code, as well as review of technologies provided by third party vendors.
- Improve system security with vulnerability monitoring and intrusion detection systems
- Conduct ongoing security analysis of our IT architecture and designs, facilitate and perform various security tests and reviews of our code, products, services and infrastructure (DFINITY data centers).
- Guide our software development teams through the Security Development Lifecycle (SDL) by participating in design reviews, threat modeling, and in-depth security penetration testing of code and systems. These responsibilities extend to providing input on application design, secure coding practices, log forensics, log design, and application code security.
- Support and manage product security process activities including threat and attack tree modelling, security requirements definition with research team, and develop cyber test planning and penetration testing.
- Collaborate with engineering/development teams to evolve SW assurance process to address security risks, identify and eliminate bugs that may have been missed in the review process.
- Use Everything-As-Code methodologies to ensure traceability, configurability, immutability, repeatability, and governability.
- Implement automation for repeatable software assurance tasks, maintain and optimize cyber security test suites, and proactively work to reduce manual SwA activities.
- Identify appropriate hardware and software design changes to deliver cyber secure systems and assist IT, datacenter, Infra and product teams to quantify residual product cyber risk.
- Identify cyber threats and help IT, datacenter, Infra and product teams design, deliver and deploy secure systems.
- Drive continuous improvement activities to define, measure, visualize and improve key cyber security metrics.
- Bachelors or Masters in Computer Science or Engineering with an emphasis in Information Security or a related field, or equivalent experience.
- 5+ years developing, architecting, and implementing, industrial or embedded class security solutions.
- Experience of building large-scale distributed data-processing systems for network traffic analysis, incident response, business intelligence using data mining, machine learning and deep learning.
- 10 years total in security engineering and risk remediation preferred
- Considerable expertise or experience in at least one of following security domains (Threat Modeling, Offensive Red Teaming or Penetration Testing, Authentication & Public Key Infrastructure (PKI), Vulnerability Management, Data Security or Cryptography)
- Able to write clear and consumable documentation
- Active engagement and contributions to the cybersecurity community via security related forums, blogs, attending security conferences, white papers, etc.
- Strong collaboration skills working cross functionally with internal and external customers
All qualified applicants will receive consideration for employment without regard to race, color, religion, gender, gender identity or expression, sexual orientation, national origin, genetics, disability, age, or veteran status.