Principal Offensive Security Engineer
New York, NY or US - Remote
Vimeo, Inc.Unlock the power of video and join over 200M professionals, teams, and organizations who use Vimeo to create, collaborate and communicate.
As an Offensive Security Engineer at Vimeo, you will use the latest and greatest open-box and closed-box techniques to identify security weaknesses in our customer-facing web applications, our mobile applications, our backend microservices, our internal employee-facing services, and our cloud infrastructure.
You will have staging and production environments at your disposal to hack on everything from our oldest legacy components to our newest unreleased features.
You will partner with fellow pen testers to plan, carry out, and lead initiatives related to ethical hacking, red teaming, and pen testing.
You will collaborate heavily with the rest of the Application Security team, as well as the greater security team, in a variety of activities, mostly offensive in nature, ultimately aimed at safeguarding our users who entrust Vimeo with their content every day.
You will work frequently with and support developers, as well as members of the infrastructure security team, the compliance team, IT, Product, and other teams throughout the organization.
Do you love to solve puzzles? Are you a great team player? Do you care tremendously about code quality? Then please consider joining our team!
What you’ll do:
- Internal open-box ethical hacking
- Red teaming exercises
- Assisting with periodic external penetration tests
- Mentoring colleagues
- Other potential tasks — managing our public bug bounty program, threat modeling of new features, code reviews, installation and tuning of SDLC automation, incident response, developing internal ad hoc security tools, collaborating with the infrastructure security team, collaborating with the compliance and privacy team, promoting security awareness throughout the organization, teaching defensive coding standards, consulting on remediation strategies, etc.
- A typical day will look like this:
- Pentest a new feature in a staging environment
- Manual source code audit for vulnerabilities in legacy components
- Meet with folks on the Product team to learn about their newest upcoming features
- Validate a recent remediation effort by reading the PR and hacking on the feature
- Review a few new tickets in our bug bounty program (http://hackerone.com/vimeo)
- Check an alert from a tool that continuously monitors our infrastructure for exposed services
- Assist the compliance team on a privacy-related project
- Provide technical advice in response to occasional questions from developers and other members of the security team
Skills and knowledge you should possess:
- 8+ years experience in Application Security preferred
- Expertise with web application penetration testing
- Mastery detecting and exploiting all vulnerabilities on the OWASP Top 10, as well as others
- Strong knowledge of modern web, mobile, and network security
- Knowledge of modern frameworks
- Confident working in and across cloud environments like AWS and GCP. Detailed knowledge of at least one cloud environment.
- Confident with shell scripting and/or Python
- Confident with common SDLC components, like git, Jira, Jenkins, etc.
- Confident ability to communicate technical security concepts to developers
- At least an upper-intermediate level of English
- Expertise with Burp or OWASP Zap, as well as other semi-automated tools for enumeration, content discovery, exploitation, etc.
Bonus points (nice skills to have, but not needed):
- Links to HackerOne/BugCrowd/Intigriti/Synack profile
- Links to CVEs discovered
- Link to a Github repo with security tools/scripts you’ve developed or help maintain
- Full-stack web development experience creating RESTful applications (in any language)
- Open source vulnerability research or blog posts
Vimeo (NASDAQ: VMEO) is the world’s leading all-in-one video software solution. Our platform enables any professional, team, and organization to unlock the power of video to create, collaborate and communicate. We proudly serve our growing community of over 230 million users — from creatives to entrepreneurs to the world’s largest companies.
Vimeo is headquartered in New York City with offices around the world. At Vimeo, we believe our impact is greatest when our workforce of passionate, dedicated people, represents our diverse and global community. We’re proud to be an equal opportunity employer where diversity, equity and inclusion is championed in how we build our products, develop our leaders, and strengthen our culture.
Explore more Information Security career opportunities
- Open Vulnerability Analyst jobs
- Open Senior Information Security Engineer jobs
- Open Threat Intelligence Response Analyst jobs
- Open Staff Security Engineer jobs
- Open IT Security Engineer jobs
- Open Senior Infrastructure Security Engineer jobs
- Open Senior Penetration Tester jobs
- Open Principal Security Engineer jobs
- Open Cyber Security Architect jobs
- Open Cybersecurity Analyst jobs
- Open Senior Incident Response Analyst jobs
- Open Personnel Security Officer jobs
- Open SOC Analyst jobs
- Open Information Security Architect jobs
- Open Chief Information Security Officer jobs
- Open Sr. Product Security Engineer jobs
- Open IAM Engineer jobs
- Open Information Security Officer jobs
- Open Sr. Software Engineer - Detection Engineering jobs
- Open Cybersecurity Engineer jobs
- Open Senior Information Security Analyst jobs
- Open Staff Engineer, Cloud Security jobs
- Open Azure Security Engineer jobs
- Open Privacy Manager jobs
- Open Software Security Engineer jobs
- Open Threat intelligence-related jobs
- Open PCI-related jobs
- Open Clearance-related jobs
- Open IDS-related jobs
- Open Open Source-related jobs
- Open CEH-related jobs
- Open Forensics-related jobs
- Open Machine Learning-related jobs
- Open Splunk-related jobs
- Open Intrusion detection-related jobs
- Open Encryption-related jobs
- Open Ruby-related jobs
- Open Security assessments-related jobs
- Open OSCP-related jobs
- Open Threat detection-related jobs
- Open Docker-related jobs
- Open GDPR-related jobs
- Open IPS-related jobs
- Open HIPAA-related jobs
- Open DevSecOps-related jobs
- Open PowerShell-related jobs
- Open Cryptography-related jobs
- Open DNS-related jobs
- Open TCP/IP-related jobs