Senior Security Researcher
  • United Arab Emirates Dubai
  • Deriv
1 year before
31.12.2023
Analyze
Exploitation Analysis
Job Description

Job Information

Industry
Cyber Security & IT

City
Dubai

Country
United Arab Emirates


Job Description
You’ll be part of our Product Security team, where we’re the first line of defence against hackers and security flaws that may impact our trading platforms, products and global client base. We manage threats and potential security risks through smart strategies, airtight policies, meticulous communication, and technical execution.
As a Senior Product Security Researcher at Deriv, you’ll evaluate our security measures and the existing protections of our products, applications, networks and Cloud Infrastructure through penetration testing.
Your key responsibilities will be a proactive one in analysing our systems in order to look for weaknesses and potential security issues. As a custodian of security, you’ll promote compliance with security best practices and awareness of the latest online threats. Your experience, skills and analytical mindset and understanding of security protocols will protect Deriv from new and emerging threats.

Your challenges

Perform vulnerability research and security testing against our products, networks, platforms and infrastructure to identify potential attack vectors to protect the organisation
Utilise your skills and experience to actively seek out potential weaknesses in our organisation to improve our security posture
Participate in security projects — scope the requirements, create POCs, execute test plans, create result reports, and resolve any issues
Stay up-to-date with the latest vulnerabilities, techniques and tools
Create detailed reports and presentations on your research findings
Review the security configurations of our equipment, tools, systems and services to ensure they are optimal
Develop security assessment tools and processes to address identified vulnerabilities
Assist in driving a security mindset within the company and collaborate with the wider security team and other groups to share ideas, tools and processes


Requirements

8+ years of technical experience as a security researcher, red team member or equivalent role
Experience with software architectures and cloud environment security (AWS/GCP) known issues and exploits
Complete familiarity with writing custom code and scripts to investigate and reproduce security threats
Understanding of the new and common attacks and mitigations such as timing, injection (e.g. form parameter/SQL), side-channel, DoS, buffer overflows, and DNS cache poisoning
Ability to quickly assess the security impact of CVEs, bugs
Deep understanding of encryption fundamentals and best practices
Solid knowledge and experience in OSI model, TCP/IP, and other industry-standard network defence concepts
Strategic and critical thinking, teamwork, good problem-solving, judgement, and decision-making skills
Comprehensive experience in bug bounty programmes such as HackerOne, Bugcrowd, Synack, and Cobalt
Experience in scripting/coding (e.g. Perl, NodeJS, Javascript/Typescript) and know what to look for
Knowledge of operating systems such as Linux, MacOS and Windows
University degree in IT or a relevant field, or equivalent work experience
OSCP, OSWE, CEH, Security+, eJPT, eWPT, CISSP, or any GIAC certification
Good interpersonal skills
Excellent spoken and written English communication skills


Benefits

Market-based salary
Annual performance bonus
Medical insurance
Housing and transportation allowance
Casual dress code
Work permit


Quick response

Required Knowledge
  • K0001   Knowledge of computer networking concepts and protocols, and network security methodologies.
  • K0005   Knowledge of cyber threats an`d vulnerabilities.
  • K0177   Knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
  • K0354   Knowledge of relevant reporting and dissemination procedures.
  • K0362   Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.).
  • K0393   Knowledge of common networking devices and their configurations.
  • K0394   Knowledge of common reporting databases and tools.
  • K0397   Knowledge of security concepts in operating systems (e.g., Linux, Unix.)
  • K0417   Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).
  • K0430   Knowledge of evasion strategies and techniques.
  • K0451   Knowledge of identification and reporting processes.
  • K0487   Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).
  • K0535   Knowledge of strategies and tools for target research.
  • K0544   Knowledge of target intelligence gathering and operational preparation techniques and life cycles.
  • K0608   Knowledge of Unix/Linux and Windows operating systems structures and internals (e.g., process management, directory structure, installed applications).

Required Skills
  • S0300   Skill in writing (and submitting) requirements to meet gaps in technical capabilities.

Required Abilities
  • A0086  Ability to expand network access by conducting target analysis and collection to identify targets of interest.
  • A0092  Ability to identify/describe target vulnerability.
  • A0093  Ability to identify/describe techniques/methods for conducting technical exploitation of the target.