OSlash is a modern platform for growing businesses to manage employees' access to devices, networks, and applications in a single interface. We remove the administrative work of managing IT so companies can focus on what they do best.
OSlash is currently seeking a Security Engineer to work on today’s evolving offensive and defensive measures in the application security field.
As a Security Engineer, you will work with multiple development teams to improve and execute OSlash’s Secure Development Life Cycle for providing secure products and solutions to OSlash and our clients.
Acting as a subject matter expert, you will be responsible for providing secure coding best practices and guidance to development teams while also working to enable tools and capabilities that support OSlash’s SDLC processes.
Key Qualifications and Responsibilities
- Experience in web/mobile application security, SSDLC, Threat Modeling.
- Experience implementing, running, and maintaining tools and/or processes to reliably identify security issues such as SQLi, XSS, CSRF, and business logic flaws across large code bases (SAST, DAST, PenTesting, Security Unit Testing, etc).
- Promote the culture of security first @ OSlash.
- Not take a check the box mentality to security
- Ability to triage, reproduce, recommend remediation's, and implement fixes for vulnerabilities.
- Passion for understanding and researching vulnerabilities and exploitation techniques.
- Knowledge of development and integration tools and technologies (e.g. CI/CD).
- Working knowledge for development and oversight of required corrective action plans relating to security risks and compliance requirements.
- Knowledge of test automation frameworks and how they can be brought in to use for security QE.
- Practical knowledge of applied cryptography and common attacks against modern cryptographic algorithms (encryption at rest, TLS, hashing, etc)
- Communicate effectively across teams and to peers.
- Educate application developers to build security in their code and development environments.
- Knowledgeable regarding backend security topics such as secret management and service authentication.
- Perform penetration tests and coordinate third-party vendor Pen Tests.
- Rating the severity of defects and publishing comprehensive reports detailing associated risks and mitigations.
- Awareness of applications implementing OAuth, SAML, and JWT authentication.
- Understanding of web security mechanisms (such as SOP, CORS, CSP, Subresource Integrity, and same-site cookies).
- Innately curious and able to learn. You should be confident in picking up new technologies and pivoting when the role requires, given the fast-paced agile development environment we support.
- A critical thinker and troubleshooting is paramount to you. You strive for practical, creative solutions to difficult problems.
- Passionate for security. You genuinely care about working to create a secure product with modern, agile practices.
- Inclined towards learning multiple areas of security and building competency to deliver a wide spectrum of security like cloud security, operating systems, etc.
- Highly focused on eliminating redundant and repetitive work through automation.
You are an ideal candidate if you have any 8 of these
- B.S. Computer Science or similar combination of education and experience.
- Software development experience any two (Java, iOS, and Android APIs, Web, Modern JS stack).
- Understanding of common vulnerabilities in web and mobile applications.
- Experience with application security architecture and Code Review
- Contributions to the security community (public research, blogging, presentations, etc)
- Good communication skills
- Have an excellent working knowledge and ability to educate others on common vulnerability types, including SQL/Command injection, XSS, CSRF, and SSRF
- Have experience in web, database, information, and/or infrastructure security
- Know and love learning about the latest security tools, infrastructure, and industry best practices
- Enjoy working across and being a resource for other engineers and sharing your knowledge of secure coding practices
- Experience in authentication and authorization: SAML, OAuth, LDAP, AD, etc
- Sound understanding of app security vulnerabilities, defense techniques, and security best practices, including language-specific security measures and present-day threats
- Have some programming experience with the modern JS web stack.
- Experience with compliance and security controls like SOC 2, ISO, etc.
- Bug bounty experience (running a program or reporting.)