Senior Security Engineer – Vulnerability Management

What you will do:

• This position will be responsible for Manual Testing and Validation:
• Conduct in-depth manual testing to identify vulnerabilities not covered by automated tools.
• Validate the accuracy of automated findings and ensure comprehensive coverage for critical systems.
• Provide detailed remediation guidance to development teams based on manual findings.


This position will be responsible for performing Comprehensive Testing and Analysis:
• Conduct both automated and manual testing to uncover vulnerabilities:
• Static Analysis: Detect insecure coding patterns during development.
• Tools: GitHub Advanced Security (CodeQL), SonarCloud, Checkmarx CLI.
• Dynamic Application Security Testing (DAST): Identify runtime vulnerabilities such as XSS or SQL Injection.
• Tools: OWASP ZAP CLI Runner, Burp Suite Enterprise Edition.
• Fuzz Testing: Discover unknown vulnerabilities through randomized inputs.
• Tools: ClusterFuzzLite, libFuzzer.
• Dependency Analysis: Identify vulnerabilities in third-party libraries and components.
• Tools: Dependabot, Snyk CLI, OWASP Dependency-Check.
• Environment Simulation and Sandboxing: Test software in isolated environments to simulate real-world attacks.
• Tools: Docker, Minikube, Cuckoo Sandbox.


Vulnerability Triage and Management:
• Identify, prioritize, and track vulnerabilities from multiple sources, including automated tools, penetration testing, and external reports.
• Collaborate with development teams to ensure timely remediation of findings.


Work with Security Engineering to develop Automated Testing Pipelines:
• Design, implement, and maintain automated security testing pipelines using GitHub Actions.
• Integrate security tools into CI/CD workflows to enable continuous testing.
• Enhance pipeline efficiency by automating vulnerability identification, tracking, and validation processes.


Collaboration with Development Teams:
• Act as the primary security liaison for engineering teams, guiding secure coding practices and remediation strategies.
• Review and approve remediation actions to verify closure of identified vulnerabilities.


Process Development and Metrics:
• Establish workflows for vulnerability triage, testing, and closure.
• Develop and monitor metrics to measure the effectiveness and efficiency of vulnerability management processes.

What we look for:

• Expertise in building and managing automated security testing pipelines in CI/CD workflows.
• Strong knowledge of static and dynamic application security testing tools and methodologies.
• Hands-on experience conducting manual security testing, including penetration testing and vulnerability validation.
• Proficiency in programming or scripting languages (e.g., Python, Ruby, Go, or Rust) for building and customising testing tools.
• Experience working with development teams to remediate vulnerabilities and ensure secure software delivery.
• Familiarity with secure coding practices and common vulnerabilities (e.g., OWASP Top 10, CWE/SANS Top 25).
• Knowledge of modern security frameworks such as MITRE ATT&CK and NIST CSF.


Preferred Qualifications:
• Experience with Kubernetes and containerised application security.
• Proven ability to automate complex security testing workflows.
• Published tools or research related to security testing or vulnerability management.


By joining Kong Inc., you will combine your expertise in vulnerability management, security engineering, and hands-on testing to ensure the security and reliability of our leading cloud-native API management platform. If you’re ready to take ownership of testing and remediation processes while driving innovation in secure software development, we’d love to hear from you!