Product Security Engineer, Assessments

What you’ll be doing:

• You will prioritize and perform pen testing including, but not limited to the following:
• web applications and apis
• Web3 (ex: DApp, NFTs etc)
• Cloud infrastructures (AWS)
• Mobile applications and apis
• As a member of the security assessment team, you will be responsible for Threat Modeling of applications, systems and/or services. 
• You will be responsible for supporting the development of processes and procedures to ensure cross-functional SLA’s are exceeded.
• You will review and analyze existing code bases to uncover vulnerabilities, and provide teams with recommended fixes.
• As a member of the security assessment team, you will assist in the development of frameworks and automated tools to be leveraged during assessments. 
• Collaborate with trusted partners to support scoping assessments, environment setup/configuration, project management, troubleshooting and vulnerability remediation testing. 
• You will be responsible for triaging and support of the public Bug Bounty program. This will include, but is not limited to: tiered support, documentation, stakeholder management, risk ranking, on-call rotation and researcher feedback.
• Pick up other duties as assigned.

What we look for in you: 

• 2+ years of programming experience or ability in one of our core languages. At current inventory, we use Ruby (Sinatra & Rails), Golang, JavaScript (Server & client flavors), Java/C++ (physical trading engine stack), Python (Data/ML stack), and Swift/Kotlin (among others for the mobile stack). You don’t need to be a whiz, but we expect you to be able to perform secure code review of new features and/or services. 
• Fluency in a risk and threat modeling methodology. You don’t need to be able to rattle off everything in the CWE as you iterate through STRIDE, but structure and fluidity in your analyses will really help you communicate efficiently across teams. 
• Mobile or Web Application Security experience. Be it source code audit, penetration testing, bug bounty triage, or code reviews, you’ll be expected to examine code with security critical eyes.
• Experience in the automation of manual processes. (ex: Python Scripts, Selenium, Playwright, etc)
• Ability to understand and solve complex problems, which require the ability to work independently and unblock yourself as required.
• Strong written and verbal communication skills, specifically on security topics. The work our team does is consumed by various cross functional teams and leaders; so being able to effectively communicate will be invaluable in avoiding confusion and providing a poor customer experience.
• Some personal or professional experience with exploitation/auditing in the Web3/crypto space. 

Nice to haves:

• Experience working in a high security and/or highly regulated industry. (ex: PCI, SOC, NIST, etc).
• Experience in applied cryptography and/or cryptographic research. 
• Experience in exploit development and/or security research. 
• If you have open source security tooling to your name, we’d love to take a look and understand what problem you are solving and how your solution works. We heavily encourage Open Source contributions!

PID: P60097