You are an application security expert who wants to get in on the ground floor of one of NYC's most exciting startups. You are passionate about security, and want to build a secure product that will revolutionize an entire industry.
You love to learn, and equally love to share your knowledge with others. You’re both a listener and contributor. You are a great communicator and you take care to understand before making yourself understood.
We are looking for an experienced security professional who is interested in working with a talented startup team in building secure, resilient, and high-performance website, mobile apps, and data services for the real estate industry. You will work with developers to make security and compliance available to be consumed as services. You will help architect secure web products, perform simulated attacks, identify weaknesses, and work with the engineers to remediate and protect our products. You will lead our effort to build security as code.
What We're Looking For:
- 6+ years of hands-on experience performing security tests and manual pentests on web applications, mobile apps, and web services (APIs).
- Deep understanding of application security vulnerabilities and remediation techniques.
- Experience performing threat modeling, and designing secure web services, RESTful APIs, and microservice architectures.
- Strong knowledge and hands on experience with AWS cloud infrastructure and native security services such as Inspector, GuardDuty, Web Application Firewall, Security Groups, and CloudTrail.
- Proficiency in automating security as code into CI/CD pipeline.
- Proficiency in scripting languages such as Bash and Python.
- Knowledge of programming languages like Java, Python, and Golang.
- Knowledge of Linux operating system, and containerization technology such as Docker and Kubernetes.
- Experience and knowledge of tools to facilitate secure SDLC controls (SAST, DAST, IAST, RASP, etc.).
- Bachelor’s degree in Computer Science or Engineering or commensurate experience.
- Professional certification such as OSCP, OSWE, GWAPT, GWEB, GXPN preferred but not required.
- Contribution to the security community (public research, blogging, presentations, etc.) preferred but not required.