Security Engineer, Application Security

Company Description

Life at  Grab

At Grab, every Grabber is guided by The Grab Way, which spells out our mission, how we believe we can achieve it, and our operating principles - the 4Hs: Heart, Hunger, Honour and Humility. These principles guide and help us make decisions as we work to create economic empowerment for the people of Southeast Asia.

Job Description

Get to know the Team

The Grab’s Application Security team is part of the Cyber Security team at Grab, and we focus on keeping our application and data safe while adapting to the high-speed growth of our business. We are the team who focus on exploring and using advanced techniques to detect, mitigate, and remediate vulnerabilities and security flaws in Grab. If you are looking for an environment where you could continuously learn and grow, then you should join our team!

Get to know the Role

We are looking for someone who is passionate about exploring new technologies (i.e. LLM) and methodologies to elevate and participate in redefining a new generation of Application Security function. This role will report into the Application Security function; working alongside other security engineers who are responsible for Application Security of apps and services in the areas of threat modeling, specification reviews, code reviews, and penetration testing. We believe a successful candidate is a team player, who has excellent communication skills, creative problem solving ability, and a strong passion in cybersecurity, but if you believe you have what it takes then we’d love to hear from you either way. This role is required because we care about our Grab’s mission and we would like someone who is outstanding to perform code review and organize penetration testing and possible red teaming for various systems at Grab.

The Day-to-Day Activities

• Identify and drive remediation of high-priority Web/Mobile application/environment security issues, including:
  • Screening potential issues
  • Providing remediation guidance to issue owners
  • Conducting validations of potential fixes or mitigations
  • Providing risk and impact assessments of vulnerabilities or proposed mitigations
• Support other Cyber Security teams with application security expertise
• Participate in Grab’s Bug Bounty Program on HackerOne
• Triage security issues reported from Grab’s Bug bounty program
• Follow-up with the relevant development teams for fixes.
• Follow-up and help Cyber incident response team with the investigation
• Conduct application security testing and source code auditing for a variety of technologies
• Provide clear and detailed risk assessment and remediation guidelines for developers and business owners
• Conduct penetration testing targeting critical Application data, services, and environments; reporting underlying security issues and proposing improved security protections
• Research on the latest cybersecurity standard methodologies, trends, threats, and vulnerabilities, and technology frameworks
• Document and disseminate security guidelines for common security issues, remediation mentorship, and security technology baselines
• Develop tools and exploits to support application security review and/or penetration testing 

Qualifications

The Must-Haves

• You have Heart, Hunger, Honour and Humility 
• 2+ years of security industry experience utilizing web/mobile application security and knowledge of the security / threat landscape.
• Working experience with cloud technologies such as AWS, Google Cloud, Ali, and Azure.
• Fundamental understanding of defense in-depth methodologies.
• Ability to develop technical solutions and use existing tools to help discover and mitigate security vulnerabilities. Ability to code/script in at least one programming language like Python, Java, GoLang, C++. 
• Excellent knowledge of pen-testing tools and procedures for Web/Mobile.
• Passionate about automating security testing and penetration testing using tools and code
• Fundamental understanding of security best practices. Review security vulnerabilities and determine what modifications are needed to minimize risk to the organization via enhancements to the existing environment.
• Excellent ability to communicate technical solutions. Assist in developing test plans, test the products, make recommendations, and assist in developing the architecture and implementation plan for approved solutions.
• Teamwork and advocacy: Fostering a culture of cybersecurity across various teams.

The Nice-to-Haves

• Experienced in vulnerability management, patching automation, and understanding of VA/PT techniques
• Cyber Security certifications like OSCP/OSCE/CREST will be an added advantage

Additional Information

Our Commitment

We are committed to building diverse teams and creating an inclusive workplace that enables all Grabbers to perform at their best, regardless of nationality, ethnicity, religion, age, gender identity or sexual orientation and other attributes that make each Grabber unique.