Application Security Engineer (вакансія неактивна)

This vacancy is only for Ukrainian residents within Ukraine.

We are looking for an AppSec Engineer. If you are interested in designing and building security controls, working hand-in-hand with software developers, and performing security assessments, this may be your position!

Responsibilities:

• Perform security assessment and review of code and behavior of systems (web, API, backends).
• Perform risk analysis and threat modelling.
• Perform security search for weaknesses and vulnerabilities in software in novel fields and areas.
• Participate in SSDLC for our products and our customers’ products. Explain risks & threats, work with developers to select security controls that would improve security without restricting usability/performance.
• Take part in organisation security practices and work with business owners (risk assessment, craft policies for organisations, guide companies for more secure future).
• Communicate about security technical topics with both technical and non-technical audiences (C-level managers, developers, product owners).
• Dive into application security, infrastructure security, cloud and on-prem infrastructures, dedicated hardware, IoT security, ML security, and weird stuff beyond casual imagination with our team of skilled engineers. Check out an example of our work.
• Stay updated with emerging security threats, vulnerabilities, and controls by reading articles, papers, and NIST guidelines. Follow CVE updates and understand how the threat landscape is changing
• Contribute to open-source standards such as OWASP standards and guidelines.

Requirements:

• 3+ years as an application security engineer or similar position.
• Experience in performing security assessment for web applications and cloud systems.
• Experience designing and implementing security processes and security controls in a technically diverse environment.
• Be familiar with application security verification and software maturity frameworks: OWASP SAMM, OWASP ASVS, OWASP MASVS.
• Understanding SSDLC and its difficulties: OWASP SSDLC, NIST SSDF.
• An overall understanding of what information security is, how real-world risks and threats affect the choice of security controls. How to combine detective, preventive and corrective controls.
• Experience in popular security tools required for the job, or ability to learn them quickly (Burp Suite, network analysers, various SAST and DAST, dependency and vulnerability scanners).

Nice to have:

• A certain area of expertise and deep interest in web, mobile, IoT, infrastructure — an area where you have “seen things” and ready to share experience.
• Basic knowledge in cryptography: understanding the differences between symmetric and asymmetric cryptography, hashing, KDF.
• Knowledge in one of several business domains: banking finance/payment processing, cryptocurrencies, IoT, hardware and ICS.
• Understanding security standards and methodologies (NIST, ISO, CMMI, SOC).
• Understanding risk management and threat modelling (NIST RMF, FAIR, STRIDE, MITRE ATT&CK).
• Practical experience in scripting languages: Python or Bash.

Our hiring process:

• Test task
• Introduction call
• Technical interview
• Offer

What’s in it for you?

• Competitive compensation with a flexible bonus scheme.
• Hybrid work model: this position allows for a combination of in-office and remote work as needed.
• UK, EU and USA clients.
• Working at the crossroads of ML security, cryptographic protocol support, hardware protection, reverse-resilient mobile app development, and securing web apps for millions of users.
• Public track record in the open-source aspect of our products.
• Conferences, books, courses — we encourage learning and sharing with the community. Our team members share a lot in talks, workshops, and blog posts.
• Paid vacation — 21 business days per year.
• Paid sick leaves.

Our software is well-known amongst security-aware teams, recommended by OWASP, and popular for easily solving complicated security challenges. Apart from building “off-the-shelf” solutions, we design custom security controls for novel problems. We work in the B2B space, with customers such as power grid operators, payment processors, legal companies, and million-user customer applications. We cater to young ambitious startups and well-established enterprises, that use our software and solutions as a core part of their security arsenal.