Security Penetration Tester

The Company

BitMEX is the world’s leading cryptocurrency derivatives trading platform, which has pioneered cryptocurrency trading through relentless commitment to change, and continues to set benchmarks for innovation, liquidity, and security today.

As the world's most advanced peer-to-peer crypto-products trading platform and API, BitMEX gives knowledge, confidence, and precision to hundreds of thousands of traders, transacting billions of USD a day.

Join us, as we build a thriving cryptocurrency ecosystem through strategic investments in emerging cryptocurrency technology, and create the future of digital financial services.

Overview

The goal of the penetration tester is to ensure that no code running in BitMEX’s environments is vulnerable to exploitation through active simulated attack scenarios. She or he achieves this by meeting with internal teams to identify and scope potential targets, identify or set up a test environment(s), perform simulated attacks against the system(s), and clearly document any findings and present them to the team along with recommended mitigations. The penetration tester has expert knowledge of common attacks and vulnerabilities at all levels of the technology stack, including expert knowledge of all Common Weakness Enumeration (CWEs) types, OWASP top 10, and MITRE ATT&CK exploitation methods and how to test for each.

Key Responsibilities:

• Identify, report, and help mitigate security vulnerabilities against the BitMEX platform and internal services
• Keep up to date on the latest attack methodologies and vectors
• Participate in internal threat modelling exercises
• Collaborate closely with the PE, DevOps, Offensive Security, and Application Security teams to identify systems and features ripe for testing
• Provide clear documentation on identified vulnerabilities and recommended mitigations to impacted teams
• Be a team player and someone that others feel comfortable approaching with security questions

Skills, Traits & Competencies:

• 5+ years of security industry experience, 2+ years in an penetration testing role
• Strong background and expert practical understanding of Common Weakness Enumeration (CWEs) types, OWASP top 10, and MITRE ATT&CK exploitation methods
• Strong understanding of common appsec controls, such as CSP, SRI, the same-origin policy, cookie security, etc
• Strong understanding of practical attacks on cryptographic services, such as TLS (POODLE, Padding Oracle, Length Expansion, etc.)
• Excellent written and verbal communication skills in order to effectively communicate vulnerability criticality and grading