Principal Offensive Security Engineer
New York City or US - Remote
Vimeo, Inc.
Everything you need to make, manage, and share brilliant videos for marketing, employee communications, virtual events, and creative production.As an Offensive Security Engineer at Vimeo, you will use the latest and greatest open-box and closed-box techniques to identify security weaknesses in our customer-facing web applications, our mobile applications, our backend microservices, our internal employee-facing services, and our cloud infrastructure.
You will have staging and production environments at your disposal to hack on everything from our oldest legacy components to our newest unreleased features.
You will partner with fellow pen testers to plan, carry out, and lead initiatives related to ethical hacking, red teaming, and pen testing.
You will collaborate heavily with the rest of the Application Security team, as well as the greater security team, in a variety of activities, mostly offensive in nature, ultimately aimed at safeguarding our users who entrust Vimeo with their content every day.
You will work frequently with and support developers, as well as members of the infrastructure security team, the compliance team, IT, Product, and other teams throughout the organization.
Do you love to solve puzzles? Are you a great team player? Do you care tremendously about code quality? Then please consider joining our team!
What you’ll do:
- Internal open-box ethical hacking
- Red teaming exercises
- Assisting with periodic external penetration tests
- Mentoring colleagues
- Other potential tasks — managing our public bug bounty program, threat modeling of new features, code reviews, installation and tuning of SDLC automation, incident response, developing internal ad hoc security tools, collaborating with the infrastructure security team, collaborating with the compliance and privacy team, promoting security awareness throughout the organization, teaching defensive coding standards, consulting on remediation strategies, etc.
- A typical day will look like this:
- Pentest a new feature in a staging environment
- Manual source code audit for vulnerabilities in legacy components
- Meet with folks on the Product team to learn about their newest upcoming features
- Validate a recent remediation effort by reading the PR and hacking on the feature
- Review a few new tickets in our bug bounty program (http://hackerone.com/vimeo)
- Check an alert from a tool that continuously monitors our infrastructure for exposed services
- Assist the compliance team on a privacy-related project
- Provide technical advice in response to occasional questions from developers and other members of the security team
Skills and knowledge you should possess:
- 8+ years experience in Application Security preferred
- Expertise with web application penetration testing
- Mastery detecting and exploiting all vulnerabilities on the OWASP Top 10, as well as others
- Strong knowledge of modern web, mobile, and network security
- Ability to read code in all of the following languages Python, Go, PHP, Javascript, and Ruby
- Knowledge of modern frameworks
- Confident working in and across cloud environments like AWS and GCP. Detailed knowledge of at least one cloud environment.
- Confident with shell scripting and/or Python
- Confident with common SDLC components, like git, Jira, Jenkins, etc.
- Confident ability to communicate technical security concepts to developers
- At least an upper-intermediate level of English
- Expertise with Burp or OWASP Zap, as well as other semi-automated tools for enumeration, content discovery, exploitation, etc.
Bonus points (nice skills to have, but not needed):
- Links to HackerOne/BugCrowd/Intigriti/Synack profile
- Links to CVEs discovered
- Link to a Github repo with security tools/scripts you’ve developed or help maintain
- Full-stack web development experience creating RESTful applications (in any language)
- Open source vulnerability research or blog posts
#LI-TA1
About us:
Vimeo (NASDAQ: VMEO) is the world’s leading all-in-one video software solution. Our platform enables any professional, team, and organization to unlock the power of video to create, collaborate and communicate. We proudly serve our growing community of over 230 million users — from creatives to entrepreneurs to the world’s largest companies.
Vimeo is headquartered in New York City with offices around the world. At Vimeo, we believe our impact is greatest when our workforce of passionate, dedicated people, represents our diverse and global community. We’re proud to be an equal opportunity employer where diversity, equity and inclusion is championed in how we build our products, develop our leaders, and strengthen our culture.
Learn more at www.vimeo.com
Learn more at www.vimeo.com/jobs
Tags: Application security Automation AWS Cloud Compliance Ethical hacking Full stack GCP GitHub Incident response JavaScript Jira Microservices Network security Offensive security Open Source OWASP Pentesting PHP Privacy Python Ruby Scripting SDLC Vulnerabilities
Perks/benefits: Salary bonus
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Senior Security Analyst jobs
- Open Information Security Specialist jobs
- Open Staff Security Engineer jobs
- Open Cyber Security Architect jobs
- Open Manager Pentest H/F jobs
- Open Senior Information Security Analyst jobs
- Open Senior Cyber Security Engineer jobs
- Open Cyber Security Specialist jobs
- Open Principal Security Engineer jobs
- Open Product Security Engineer jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open IT Security Analyst jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open Cybersecurity Analyst jobs
- Open Senior Information Security Engineer jobs
- Open Chief Information Security Officer jobs
- Open Cybersecurity Consultant jobs
- Open Consultant SOC / CERT H/F jobs
- Open Security Specialist jobs
- Open Cybersecurity Specialist jobs
- Open Senior Penetration Tester jobs
- Open Sr. Security Engineer jobs
- Open Security Researcher jobs
- Open Senior Security Architect jobs
- Open Security Operations Analyst jobs
- Open ISO 27001-related jobs
- Open Clearance-related jobs
- Open Windows-related jobs
- Open Network security-related jobs
- Open Application security-related jobs
- Open Agile-related jobs
- Open Pentesting-related jobs
- Open Vulnerability management-related jobs
- Open GCP-related jobs
- Open Analytics-related jobs
- Open SaaS-related jobs
- Open CISA-related jobs
- Open IAM-related jobs
- Open Threat intelligence-related jobs
- Open APIs-related jobs
- Open Java-related jobs
- Open Security assessment-related jobs
- Open DevOps-related jobs
- Open Malware-related jobs
- Open Kubernetes-related jobs
- Open Security Clearance-related jobs
- Open CI/CD-related jobs
- Open IDS-related jobs
- Open CEH-related jobs
- Open EDR-related jobs