Job Openings Principal Security Engineer

About the job Principal Security Engineer

Context

Our client is a cybersecurity company that builds custody SaaS protocol for web3 apps. Think of it as a developer tool that provides secure cloud for crypto. Their mission is to bring serenity to DeFi by eliminating new blockchain risks and making crypto transactions easier, faster, more affordable, and compliant with existing regulations.

From fintechs to large banks to e-commerce sites, our client gives financial institutions and businesses the freedom to own and transfer crypto on battle-designed security infrastructure. Their API is designed to offer a best-in-class developer experience allowing any platform to deploy custodial wallets in a matter of days, with streamlined feature delivery and frequent security upgrades.

Founded in 2020 in Paris,  our client is incubated at Station F (awarded Future 40), accelerated by Techstars and recognized DeepTech by the French Ministry of Economy. Our company is fully remote with offices in Paris, Amsterdam, New York, London, Stockholm, Sofia, and other cities.

Job Description
You will contribute to one of the most ambitious technology projects in crypto today: building a trustless custody infrastructure for the trillion-dollar digital asset industry.

You will join an amazing team of leaders (CTO, VP of Research, CISO) and experts (Software Engineers, R&D Engineers, Security Engineers) in a highly challenging and collaborative environment.

We are looking for a Principal Security Engineer to run security operations within our company. You will have to demonstrate excellent surveillance and emergency response skills. You will need a strong commitment to security rules and knowledge of all hazards and threats to safety. Ultimately, you will work to ensure the security of our business information, employee data and client information throughout our entire network.

As Principal Security Engineer, you will detect insecure features and malicious activities within our networks and infrastructure. You will implement customized application security assessments for client-based asset risk, corporate policy compliance as well as conduct vulnerability assessment. You must have an advanced understanding of TCP/IP, common networking ports and protocols, traffic flow, system administration, OSI model, defense-in-depth and common security elements. Your focus is not only limited to assessing whether vulnerabilities exist but also how those risks could be mitigated. The ideal candidate loves security and possesses both deep and wide infosec expertise. You will make things more secure by protecting system boundaries, keeping computer systems and network devices hardened against attacks and securing highly sensitive data.

Mission
Your primary goal will be to create and preserve environments where employees, clients and assets are monitored, safe, and well-protected.
Example of a primary metric would be Defect Discovery Rate.

Your day-to-day projects will involve:

  • Sharing the big picture to your team, defining the levels of priority within the product roadmap, and being accountable for the deadlines and the quality of production.
  • Acting as a powerhouse of ideas on all security and technical issues.
  • Determining security violations and inefficiencies by conducting periodic audits.
  • Keeping customers updated via performance and system status reports
  • Analyzing security systems, researching weaknesses, reporting possible threats or software issues, and finding ways to counter them on a daily basis.
  • Creating and maintaining artefacts in a protected repo established as a single source of truth.
  • Finding and removing outdated and vulnerable code and code libraries.
  • Building security tooling and automation for internal use that enable SecTeam to operate at high speed and at scale.
  • Detecting and responding to company-wide security incidents.
  • Running security forensics in the case of a cyber attack and/or a data leak.
  • Identifying and mitigating complex security vulnerabilities before an attacker exploits them.
  • Taking initiatives to curb known abusive activity, and identifying unknown abuse vectors.
  • Focusing on designing, researching, and executing attacks to challenge the blue team.
  • Reporting on the red team engagements providing in-depth analysis of the security issues.
  • Developing technical solutions and new security tools to help mitigate security vulnerabilities and automate repeatable tasks.
  • Writing comprehensive reports including assessment-based findings, outcomes and propositions for further system security enhancement.
  • Authoring and updating internal and external docs, and formally initiating and delivering requirements.
  • Authoring blogs posts and doing talks at security conferences on vulnerabilities discovered.
  • Facilitating cross-branch communication and know-how exchange between team members.
  • Handling communications with independent vulnerability researchers and designing appropriate mitigation strategies for reported vulnerabilities.
  • Implementing security best practices and new ideas to encourage innovation within your team.
  • Working closely with CISO to embed best-in-class information security processes within the corporate policies, processes, and internal workflows.
  • Making proposals across several teams on cross-functional security initiatives.
  • Acting as DRI and escalation point for teams facing extremely complex technical challenges.
  • Keeping abreast of the latest developments in crypto, DeFi and blockchain to feed the company's strategic orientations.
  • Continually researching current and emerging technologies and propose changes.


Requirements

  • 10+ years experience as a Principal Security Engineer, 2+ years direct experience with incident response, and 2+ years experience in anti-abuse processes.
  • Recognized security expert in multiple specialty areas, with cross-functional team experience
  • Ownership of significant sub-department objectives, goals and OKRs.
  • Engineering expert capabilities of challenging the reasoning of other engineers.
  • Experience in designing and securing APIs (RESTful, GraphQL, SWIFT).
  • In-depth understanding of coding languages, namely Rust, Go, Python, and/or Typescript.
  • Hands-on experience analyzing high volumes of logs, network data and attack artefacts.
  • Proficiency with antivirus, vulnerability scanning and information security software.
  • Detailed technical knowledge of database and operating system security.
  • Hands on experience in security systems, including firewalls, intrusion detection systems, anti-virus software, authentication systems, log management, content filtering, etc.
  • Ability to discover and patch SQLi, XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond).
  • Experience with cloud platforms such as AWS, GCP, and setting up environments between them.
  • Thorough understanding of the latest security principles, techniques, and protocols.
  • Excellent knowledge of security procedures and relevant industry standards (ISO, SOC, etc.).
  • Experience testing secure, fault-tolerant, and resilient systems.
  • Founding-spirited with grit and guts to pursue complex worldwide ambitions.
  • Excellent analytical and problem-solving skills.
  • Excellent written and verbal communication skills.
  • Humble, respectful, and very professional to others.
  • Able to decide even in stressful, unstable situations.
  • Appetite for Cybersecurity, Fintech, Blockchain and/or Crypto industries.
  • [Bonus] Certifications such as CISSP, GSEC, CEH or CISM are appreciated.
  • [Bonus] Experience from national or international military/cyber defense bodies.
  • [Bonus] Proven track record working on developer tools and/or cybersecurity software.
  • [Bonus] Hands-on experience and willingness to contribute to open source projects.
  • [Bonus] Proven work experience in blockchain, DeFi and/or cybersecurity industries.
  • [Bonus] Extensive knowledge about the crypto custody industry and its use cases.
  • [Bonus] Having been to Chaos Communication Camp or Empire Hacking NYC


Benefits

  • Title: Principal Security Engineer
  • Salary: 140-300K / year (avg base range).
  • Equity: 0.4-0.6% ( 14.4-21.8M in case of 2B exit).
  • Bonus: Peer and spot bonuses after 8 months with us.
  • Location: Hybrid. You can either work in our offices, from home, or remote.
  • Paid time off: No less than 30 days per year, plus national holidays.
  • Employee benefits: Healthcare, life insurance, retirement plan, sponsored transportation, gym cards, food, Apple devices and home office equipment, tuition fee assistance, team retreats, and more.