Capital TechSearch is seeking Senior Security Researcher to be a champion and technical leader in our client’s journey to build a world class Product Security organization. You will partner with Engineering, IT and other partners to deliver secure software. You will work on source code and design reviews, fuzzing, penetration testing of applications, and code / vulnerability remediation support. You will help us teach and lead engineering and product down the path of how to develop and deliver secure software – working elbow to elbow with your peers. The ideal candidate will be a mix of hacker, programmer and security evangelist.
- Work as a key security researcher within an elite engineering team delivering industry-leading blockchain protocols and applications
- Perform web application penetration testing, source code reviews, and/or network penetration testing.
- Support project tasks and deadlines for engineering teams spanning multiple timezones.
- Create unique tools to assist in research project goals.
- Exploit vulnerabilities found in product systems; and clearly communicate complex vulnerabilities to both technical and non-technical staff.
- Create detailed technical reports explaining technical and business risk of the vulnerabilities found to include actionable recommendations/considerations.
- Participate in project conference calls with internal engineering stakeholders
- Provide technical leadership/mentorship to the security and engineering teams.
- Contribute to the security industry through presentations, blog posts, whitepapers, responsible disclosure, and/or research.
- Participate in and help lead the broader secure software community via the Application Security (AppSec) Guild.
General Experience – A combination of formal education and experience in the following areas: Performing senior-level penetration testing and other application security assessment activities. Performing design code reviews Demonstrating high ethical standards Developing and/or delivering training in secure application development practices Applying offensive security methodologies Education and Industry Experience – In general we are looking for a Bachelor’s degree and 5+ years of experience or an advanced degree and 3+ years experience in a relevant field to cyber security, or equivalent experience. Relevant experience could be a traditional Computer Science background with formal or avocational focus on security tools and techniques, a formal degree or certificate cyber security program, direct experience in a cyber security role such as security architect or pen-tester or equivalent experience. Non-traditional backgrounds are also welcome provided you can demonstrate the requisite skills and knowledge through both direct assessment and documentation of experience.
Required Skills and Knowledge
- We are looking for a team member with skills and knowledge meeting most of the following topics. Every individual is different and we understand people will be strong in some areas and be not as strong in some areas. In particular we understand an entry level candidate will have limited exposure to some areas of security practice and software engineering.
- We seek a candidate with strong technical skills in a variety of areas. As a senior candidate you will have some experience in most or all of these areas and will consider yourself an expert in at least a few of them. This includes:
- Familiarity with attack tools such as Metasploit, Burp Suite, Fuzzing, Gauntlt, Kali Linux and similar tools.
- Network penetration testing
- Mobile application penetration testing (iOS and Android)
- Web Services penetration testing (RESTful and SOAP)
- Hardware/Embedded system hacking
- Reverse Engineering
- Proficiency with basic Linux systems privilege and permission models, admin and operational concepts, and basic scripting.
- Basic understanding of orchestration and automation tools including at least one of Ansible, Chef, Puppet, Terraform or Saltstack.
- Possess a strong understanding of application architectural patterns, such as MVC, Microservices, Service Oriented Architecture, Serverless, Message bus/event driven, etc.
- Organized and capable of executing complex plans with minimal direction.
- Possess a restlessness and desire to break and break and break into things.
- Knowledge of common attacks and vulnerabilities including OWASP Top 10 and SANS CWE 25.
- Strong self-starter who has the ability to operate independently.
- Developed communications skills with ability to deliver concepts effectively to non-technical audience including senior leadership; proficiency in preparation of presentations, analytical reports, and documents regarding program operational status, achievement and performance. This includes a requirement for a high proficiency in written and spoken English.
Desirable Qualifications – A senior and well rounded individual may have additional skills and experience. These are not required but will be highly valuable in this role. Understanding of and experience with:
- The practice of software development across a larger organization.
- Understanding of Agile fundamentals like Test Driven Development, backlogs and user Stories
- Understanding of Continuous Integration/Testing/Delivery tools and techniques.
- Familiarity with scanning and intelligence tools such as Qualys, Tenable/Nessus, jFrog xRay and Black Duck.
- A passion for agile development methodologies including TDD/XP/Scrum/Kanban
- Experience with public cloud concepts, architectures and tools (AWS, Azure and/or GCP).
- Application Security and Penetration Testing certifications such as OSCP, OSCE, OSWE and CEH.
- Other Information and Cyber Security certifications including CISSP, CISM, CompTIA Security+ and GSEC.
- Experience and history of external communications including papers and conference presentations.
Offered Salary160k-180k, 180k-200k, 200k and greater