Information Security Competence Lead

We are looking for Information Security Competence Lead to spearhead the organization’s Information Security expertise. You will be accountable for Information Security audits and penetration testing on the current and new assignments, ensure the organization’s Information Security policies and procedures are aligned to withstand current cyber-threats, and keep up the security-conscious developers’ mindset.

Why you should join us? With rapid development cycles, a multitude of features to release, a simple yet beautiful user interface to focus on, it’s easy to overlook the security aspect of a software product, which is often a mysterious black box for many organizations. We are building a unique cyber-security offering to serve as a bridge between businesses, software developers, and infosec pros, aimed at helping organizations be smart and efficient about their information security. You will be a part of a team of enthusiasts, who love their job and strive to learn more from the world and each other, all while doing the best work of their life.

Responsibilities:

  1. Conduct technical security audits (white/black/grey box) for existing and new projects:
    • Perform risk and threat model analysis
    • Identify focal points for analysis
    • Define audit methodology
    • Identify potential attack vectors
    • Prioritize and clearly define scope and undertaken responsibility
    • Develop meaningful audit report
  2. Conduct penetration testing
  3. Keep development teams security-conscious
    • Conduct internal knowledge seminars, educational events, and workshops
    • Help development teams make their products more secure
    • Help fight fear of information security among development teams
    • Create practical assignments for internal security events (CTF/contests)
    • Lead internal bug bounty program, moderate Hall of Fame admission
  4. Introduce Secure SDLC elements (in collaboration with CTO/QD)
  5. Conduct infosec research of your interest

Required experience:

  1. Deep understanding of web security:
    • Models of trust
    • Authentication on the web
    • Vulnerability types, a detailed understanding of how they work and practical operational experience of their exploiting (XSS, SQLi, noSQLi (Mongo, Redis, Memcache), CSRF, SSRF, CSTI, SSTI, HTTP header injection, XXE, race conditions, unserialized attacks, cache deception, etc.. Extensive practical experience is required
    • Wordpress, Drupal, etc.
  2. A thorough understanding of network security:
    • OSINT, enumeration, DNS, network pivoting, scanning
    • Knowledge of Windows and Linux architecture
    • Active directory, policy, DCs, etc.
  3. Understanding mobile security:
    • Analysis of network interaction, understanding its concepts
    • Reverse-engineering, Android / iOS Apps on basic level
  4. Will be a plus:
    • Show participation in CTF, public bug bounty programs
    • Conducting own cutting-edge security research
    • Experience with connected devices (CAN bus, IoT, etc.)

Required Skills:

  • Good command of English – to be able to discuss the subject and communicate effectively with CTO / CIO / CISO clients
  • Ability to write high quality and high-value audit documentation aimed at helping business representatives and software developers to improve Information Security within products
  • Easily navigate through both offensive and defensive security areas
  • Ability to conduct audits of the finished software and provide meaningful recommendations 
  • Ability to work in a team and independently
  • Continuous learner, never stop exploring the new trends and studies
  • Certifications are desirable but not essential

You are welcome to join our team!
Please send your CV to: team@sigma.software