Resumo da vaga

Senior Software Security Engineer

Requisitos e responsabilidades

Conteúdo da vaga extraído em seções para revisão mais rápida.

Security Design and Implementation

  • Perform threat modeling, risk assessments, and architecture reviews to identify and mitigate risk.
  • Support the engineering teams on detailed security requirements to meet compliance requirements and industry best practices.
  • Perform security code reviews looking for potential security vulnerabilities.
  • Act as a subject matter expert to advise and answer questions from engineering and compliance teams on technical product security matters.

Security Testing

  • Define and oversee the deployment of Software Composition Analysis (SCA) tools to compile SBOMs of software components, helping to identify known vulnerabilities and license compliance violations.
  • Define and oversee the deployment of automated security testing tools into CI pipelines, including Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Secret Detection scanning tools.
  • Manual penetration testing of web applications (backend and frontend).Manual penetration testing skills in the domains of cloud infrastructure, embedded/OS or mobile are desirable.
  • Write custom scripts or unit test cases to check for vulnerabilities or broken/missing security controls.
  • Recommend improvements to existing security scanning tools and processes, and propose new ones.

Vulnerability Management

  • Triage the findings from the automated security scanning tools.
  • Validate potential security vulnerabilities to determine whether they are actual true positives, or false positives (i.e. non-applicable) in the product context. Write proof of concept exploits when necessary to achieve this.
  • Assess the risk of vulnerabilities and threats in order to help the business determine their remediation priority order.
  • Communicate the identified security issues to engineering and compliance stakeholders, and manage them throughout the SDLC process to ensure they are properly addressed.

SDLC and DevSecOps Integration

  • Establish and maintain secure coding standards, baseline product security requirements and more general best practices to provide guidance to development teams.
  • Assist the program area with implementing a secure Continuous Integration/Continuous Delivery (CI/CD) pipeline utilizing DevSecOps principles and practices to increase automation.
  • Implement automated security controls as part of CI/CD pipelines.

Incident Response and Compliance

  • Support product security incident response processes, including root cause analysis (identify the affected product components, data, and the overall impact level) and definition of mitigation strategies.
  • Define clear criteria and protocols for security incident response.
  • Conduct post-incident analysis to compile lists of lessons learned, and measures to prevent similar incidents from reoccurring, and refine response strategies.
  • Monitor emerging security threats, vulnerabilities, and trends to proactively investigate, remediate, and integrate new protections.
  • Ensure products comply with relevant security standards, certifications, and regulations (e.g., OWASP, NIST).

Experience and Education

  • 7+ years of experience in Security Engineering with a focus on product security and/or application security.
  • Bachelor’s degree in Computer Science, Information Security, or a related technical field.

Technical Skills

  • In-depth knowledge of Linux and Docker container-based infrastructures, including their orchestration (e.g. Kubernetes).
  • Working knowledge of techniques, standards, and state-of-the-art authentication and authorization technologies, applied cryptography, security vulnerabilities and remediations.
  • Significant software development experience. Experience in Go (our main backend language), Typescript/Javascript, C/C++, Python and Bash is desirable.
  • Working knowledge of web-related protocols and technologies (HTTP, REST APIs, DOM, CSP), networking protocols (IP, TCP, UDP), and security protocols (TLS).
  • Experience in performing threat modeling, with a good grasp of common threat vectors and frameworks.
  • Strong knowledge of security principles, best practices, and industry standards, such as NIST, ISO 27001, and CIS Critical Security Controls, OWASP ASVS and Testing Guides.
  • Familiarity with industry-standard security frameworks such as OWASP and NIST.
  • Experience with security tools such as SAST, DAST, IAST, and SCA.
  • Exceptional analytical and investigative skills, with hands-on experience in root cause analysis.
  • Knowledge of current and emerging threats and techniques for exploiting security vulnerabilities.
  • Experience with CI/CD pipeline, security tools integration, and secure SDLC.
  • Experience with cloud-based infrastructure (AWS, Azure, or Google Cloud), and on best practices on how to secure cloud environments.

Advanced Expertise

  • Familiarity with security considerations for AI/ML systems is desirable.
  • Understanding of distributed systems design, implementation and operation.
  • Understanding of privacy threats and controls, including on how to adapt generic best practices to specific scenarios in the product by providing detailed specifications to stakeholders.
  • Exploit development experience, and good understanding of the necessary conditions to trigger different vulnerability types, and the maximum impact achievable.
  • Experience with enterprise log collection and analysis platforms (e.g., Splunk, OSQuery).

Education and Certifications

  • Master's degree or equivalent experience preferred.
  • Security certifications are a plus, including OSCP, OSEE, SANS/GIAC, CCSP, and CISSP.

Soft Skills and Leadership

  • Excellent verbal and written communication, with the ability to translate complex security concepts to technical and non-technical stakeholders.
  • Demonstrated ability to design, document, and implement new security processes.
  • Experience in a high-growth technology environment or SaaS business.
  • Ability to remain calm under pressure, especially during incidents or audits.

Basic Requirements

  • Bachelors Degree
  • 5+ year of experience in security Engineering
Vagas similares

Mantenha uma lista reserva.

Ver stack
FocoSoftware Security EngineerÁrea da vaga
Sinal de senioridadeSeniorNível do candidato
StackAWS, Azure, CI/CDSkills principais
Localização1 país aceitoElegibilidade

Stack

Use estas tags para comparar vagas remotas similares.

Elegibilidade de localização

Candidatos devem aplicar apenas quando o país do perfil estiver listado aqui.

Seu perfilPaís não definidoEntre para comparar seu país com esta vaga.

Fluxo de contratação

O WithMira mostra a vaga e depois envia candidatos para a aplicação da empresa.

1Confira fit da vaga, stack e elegibilidade de localização no WithMira.
2Abra a página de aplicação da empresa pelo link rastreado.
3Salve a vaga ou assine oportunidades similares antes de sair.
Aplicar no site da empresaSite da empresaAbrir link