ShapeShift is seeking a Senior Software Security Engineer to help identify risks and mitigate them for this growing organization. The Software Security Engineer will be scanning, researching, hacking, and advising developers on security, in addition to altering source code to resolve security vulnerabilities. The ideal candidate will possess a keen understanding of how tweaking one parameter can vastly change the security outcomes of an information system. This position offers a unique opportunity to think with a black hat but wear a white hat for an exciting cryptocurrency startup.
This is a full-time, exempt position that reports directly to the CISO.
Your desire to make a real impact on an organization and the world grows by the day. The ideal candidate will be open to daily changes in workflow and protocol (and force us to improve workflows). As a start-up in an evolving space, there are new challenges that require new solutions every day.
GOALS OF POSITION
- Stay abreast with daily CVE announcements and 0-day vulnerabilities
- Provide strong software engineering experience to ShapeShift’s Security team.
- Work with Site Reliability Engineers and IT administrators to mitigate any vulnerabilities found with ShapeShift's systems.
- Provide security guidance and advice to software engineers on best practices for storing, securing, and accessing secrets in their application development.
- Participate in architecture design discussions for ShapeShift's upcoming feature enhancements and new products/services, ensuring best practices in security are followed in each phase of development, and ensuring security risks are understood and mitigated in the design choices.
- Execute and automate approved penetration tests, vulnerability scans, and related intelligence gathering about the existing security posture of development and production systems.
- Manage internal TLS Certificate Authority, issuing and revoking internal server and client certificates where necessary.
- Collect and organize security-related metrics for reporting to ShapeShift’s CISO.
- Maintain ShapeShift's existing Information Security Policy, ensuring it is up-to-date with ShapeShift's requirements.
- Providing security training to all new staff, and security refreshers to existing staff.
- Oversee the provisioning of cryptographic keys and security hardware for new staff.
- Can research, understand, and implement security enhancements to ShapeShift systems independently, and communicate changes to management in a timely fashion.
SUCCESS METRICS OF POSITION
- Concerns and risks are brought to the attention of the CISO in a timely manner
- Staff receive your assessments and recommendations on improving/maintaining security in a timely manner
- Staff are able to rely on you to educate them on security and answer their questions
- Ability to contribute security enhancements to ShapeShift’s codebase.
- Senior Security Engineer is able to meet deadlines independently
WHAT YOU BRING TO THE TABLE
- "Jack of All Trades" mindset, knowledgeable in many areas
- "Geek to English translator" - ability to train/teach security concepts to non-security staff in easy-to-understand language
- Strong "Google-fu" - ability to quickly find and learn concepts that aren't already known
- Knowledge and experience that can be relied upon by others in the Security department
- Ability to be flexible while working in a dynamic startup environment
- Desire to make the world a better and safer place
REQUIRED EDUCATION & EXPERIENCE
- 7+ years of full-stack engineering experience or equivalent
- Strong competency with modern software development tools (git, jira, IDEs)
- Experience performing source code review
- Experience resolving application level vulnerabilities
- Experience working with GPG / PGP
- Experience with TLS, cryptographic certificates and PKI
- Experience performing vulnerability scanning (i.e. Metasploit, Nessus, or similar)
- Securing and administering services/daemons according to best practices
- Experience working with Linux and open source technologies
- At least 4 years experience in a security-focused role
PREFERRED EDUCATION & EXPERIENCE
- Experience securing cloud-based service providers, such as DigitalOcean, Azure, and AWS
- Experience with deployment automation tools such as CircleCI, Terraform, etc.
- Experience with penetration testing
- Experience with charting, graphing, and presenting data visually
- Experience working with cryptocurrencies and blockchains
- Familiarity with Agile Development Methodologies
- Familiarity with hardware and firmware security
- Security certifications such as: CISSP, CISA, OSCP, Pentest+, Security+ would be an asset
- Experience with Open Source Software