Middle Information Security Engineer

We are looking for an Information Security Engineer to strengthen our Information Security expertise. You will take active part in Information Security audits and penetration testing on the current and new assignments of our customers, and help to keep up the security-conscious developers’ mindset.

We have a team of enthusiasts, who love their job and strive to learn more from the world and each other, all while doing the best work of their life.

Responsibilities:

  • Conduct technical security audits (white/black/grey box) for existing and new projects:
    • Perform risk and threat model analysis
    • Identify focal points for analysis
    • Define audit methodology
    • Identify potential attack vectors
    • Prioritize and clearly define scope and undertaken responsibility
    • Develop meaningful audit reports
  • Conduct penetration testing
  • Keep development teams security-conscious:
    • Conduct internal knowledge seminars, educational events, and workshops
    • Help development teams make their products more secure
    • Help fight fear of information security among development teams
    • Create practical assignments for internal security events (CTF/contests)
  • Introduce Secure SDLC elements (in collaboration with CTO/QD)
  • Conduct research of your interest

Required experience:

  • Deep understanding of web security:
    • Models of trust
    • Authentication on the web
    • Vulnerability types, a detailed understanding of how they work and practical operational experience of their exploiting (XSS, SQLi, noSQLi (Mongo, Redis, Memcache), CSRF, SSRF, CSTI, SSTI, HTTP header injection, XXE, race conditions, unserialized attacks, cache deception, etc.). Extensive practical experience is required
  • A thorough understanding of network security:
    • OSINT, enumeration, DNS, network pivoting, scanning
    • Knowledge of Windows and Linux architecture
    • Active Directory, policy, DCs, etc.
  • Understanding of mobile security principles:
    • Analysis of network interaction, understanding its concepts
    • Reverse-engineering, Android/iOS Apps on basic level
  • Ability to write high quality and high-value audit documentation in English aimed at helping business representatives and software developers to improve Information Security within their products
  • Easily navigate through both offensive and defensive security areas
  • Ability to conduct audits of the finished software and provide meaningful recommendations 
  • Ability to work in a team and independently
  • Certifications are desirable but not mandatory

Will be a plus:

  • Participation in CTF, public bug bounty programs
  • Conducting own cutting-edge security research
  • Experience with connected devices (CAN bus, IoT, etc.)

You are welcome to join our team!
Please send your CV to: team@sigma.software