Application Security Engineer
  • Ukraine Kyiv, Lviv, remote
  • Cossack Labs
1 year before
$2500 - $4500
17.09.2023
Protect and Defend
Job Description

Cossack Labs is looking for a **Application security engineer** to join our **Security team** and work with us on building and breaking software.

If you are interested in designing and building security controls, working hand-in-hand with software developers, performing security assessments, this may be the position for you!

**You will:**

— Perform security assessment and review of code and behavior of systems (web, API, backends). Perform risk analysis and threat modelling.
— Perform security research (find security weaknesses and vulnerabilities in software) in novel fields and areas.
— Participate in SSDLC for our products and our customers’ products. Explain risks & threats, work together with developers to select security controls that would improve security without restricting usability/performance.
— Take part in organisation security practices and work with business owners (risk assessment, craft policies for organisations, guide companies for more secure future).
— Stay up to date with emerging security threats, vulnerabilities, and controls (read articles and papers, follow CVE updates, understand how threat landscape is changing, understand how to apply described ideas, read NIST guidelines).
— Dive into application security, infrastructure security, data security, IoT security, ML security with our team of skilled engineers.
— Share your work as conference talks, blogposts, contribute to open source standards like OWASP.

**We would expect you to have:**

— Experience in performing security assessment for web (or mobile) apps.
— Experience designing and implementing security processes and security controls in a technically diverse environment.
— Be familiar with application security verification and software maturity frameworks: OWASP SAMM, OWASP ASVS, OWASP MASVS.
— Understanding SSDLC and its difficulties. OWASP SSDLC, NIST SSDF.
— Communication skills: you will communicate about security technical topics with both technical and non-technical audiences (C-level managers, developers, product owners).
— An overall understanding of what information security is, how real-world risks and threats affect the choice of security controls. How to combine detective, preventive and corrective controls.
— Experience in popular security tools required for the job, or ability to learn them quickly (Burp Suite, network analysers, various SAST and DAST, dependency and vulnerability scanners).

**As a plus you’d have**

— A certain area of expertise and deep interest: web, mobile, IoT, infrastructure — an area where you have “seen things” and ready to share experience.
— Basic knowledge in cryptography: understanding the differences between symmetric and asymmetric cryptography, hashing, KDF.
— Knowledge in one of several business domains: banking / finance / payment processing, cryptocurrencies.
— Understanding security standards and methodologies (NIST, ISO, CMMI, SOC).
— Understanding risk management and threat modelling (NIST RMF, FAIR, STRIDE, MITRE ATT&CK).
— Security engineering or management certifications (CISSP/CISA/CISM or OSCP/CompTIA Security+ or similar).
— Practical experience in scripting languages: Python or Bash.

**We offer:**

**(1) Unique area of expertise:**
— Interesting and challenging work in applied security engineering: from building to breaking.
— Working at the intersection of different areas: designing ML security controls, supporting cryptographic protocols with security controls, protecting hardware, building reverse-resilient mobile apps, securing web apps for million of users, etc.
— Combining technologies: cryptography, software engineering, information security. You won’t be bored :)
— Public track record in the open source part of our products, sharing your work as blogs posts, research papers and conference talks. We work with innovative companies all over the world, move quickly and dive into technologies others just hear about.
— A sense of meaning and responsibility for those who seek purpose – we’re building “invisible texture of modern civilization”—bits of infrastructure finance, power grids, healthcare rely on, and we are trusted with very challenging aspects of it.

**(2) Environment:**
— Friendly and experienced team: smart people to learn from, great people to build with. Each of us is unique, we value and support each other.
— An atmosphere that motivates you to grow and get smarter every month, a healthy ratio of routine / experimentation.
— Trust: schedule, reporting, bureaucracy is kept at reasonable minimum. We hire smart people and trust them to do the right thing. When things go wrong, we help rather than punish.
— Shared decision making: this business is driven by engineering excellence, so engineers are important part of tactical and strategical business decisions.
— Friendly to humans: not just a formal vacation and sick leave quota. Feel like your mental or physical wellbeing needs care? Take some time off. Feel like working a few days from home? Sure. As long as you’re in line, we are here to support you when you’re not.

**(3) Growth:**
— Team that facilitates internal learning and growth all the time.
Interesting technologies to work with — sometimes, even unique ones (we design applied cryptography schemes and techniques and novel ways to use them).
— Interesting engineering challenges across the board, ability to hop from high-level system design to protocol reverse engineering and clever data modelling hacks.
— Management attention to help you improve upon your personal goals (through regular 1:1s and mentoring).

**(4) Benefits:**
— Competitive compensation with flexible bonus scheme.
— Sick leaves, 21 vacation days a year, extra days off — according to agreements and laws.
— Conferences, books, courses — we encourage learning and sharing with the community. Our team members share a lot in talks, workshops and blog posts.

Quick response
Required Knowledge
  • K0001   Knowledge of computer networking concepts and protocols, and network security methodologies.
  • K0002   Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
  • K0005   Knowledge of cyber threats an`d vulnerabilities.
  • K0007   Knowledge of authentication, authorization, and access control methods.
  • K0013   Knowledge of cyber defense and vulnerability assessment tools and their capabilities.
  • K0019   Knowledge of cryptography and cryptographic key management concepts
  • K0033   Knowledge of host/network access control mechanisms (e.g., access control list, capabilities lists).
  • K0044   Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
  • K0049   Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
  • K0056   Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML).
  • K0058   Knowledge of network traffic analysis methods.
  • K0061   Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
  • K0112   Knowledge of defense-in-depth principles and network security architecture.
  • K0221   Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).
  • K0260   Knowledge of Personally Identifiable Information (PII) data security standards.
  • K0290   Knowledge of systems security testing and evaluation methods.
  • K0297   Knowledge of countermeasure design for identified security risks.
  • K0342   Knowledge of penetration testing principles, tools, and techniques.
  • K0624   Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
  • K0205   Knowledge of basic system, network, and OS hardening techniques.
  • K0258   Knowledge of test procedures, principles, and methodologies (e.g., Capabilities and Maturity Model Integration (CMMI)).
  • K0334   Knowledge of network traffic analysis (tools, methodologies, processes).
  • K0009   Knowledge of application vulnerabilities.
Required Skills
  • S0027   Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
  • S0036   Skill in evaluating the adequacy of security designs.
  • S0147   Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).
  • S0121   Skill in system, network, and OS hardening techniques. (e.g., remove unnecessary services, password policies, network segmentation, enable logging, least privilege, etc.).
  • S0124   Skill in troubleshooting and diagnosing cyber defense infrastructure anomalies and work through resolution.
  • S0001   Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems.
  • S0051   Skill in the use of penetration testing tools and techniques.
  • S0137   Skill in conducting application vulnerability assessments.
  • S0171   Skill in performing impact/risk assessments.
Required Abilities
  • A0015  Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.
  • A0123  Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
  • A0001  Ability to identify systemic security issues based on the analysis of vulnerability and configuration data.
  • A0044  Ability to apply programming language structures (e.g., source code review) and logic.