Application Security Engineer at Rocket.Chat

Job Title: Application Security Engineer

Level: Mid Level

Working Hours: Full Time (40h/Week)

Contract: Contractor (PJ)

Location: Remote [LATAM]

Your Team 👥

You will report to our Head of Security and join the Security team. On TheOrg you can view the complete structure of our organisation, including information about every team member, hiring managers and the size of each department.

Your Responsibilities ✏️ 

You will be responsible for implementing and maintaining robust security measures to safeguard our organization's critical assets from cyber threats. You will play a crucial role in identifying and fixing security vulnerabilities, automating processes, and proactively implementing security controls to protect our applications.

Mandatory Hard Skills 🎯

• Previous experience with penetration testing of at least 2 of the following: web applications, APIs, cloud environments, mobile applications, or Active Directory;
• Knowledge of security assessment tools (Nessus, OpenVAS, Trivy, Semgrep, Github Advanced Security (Dependabot, CodeQL, and Secrets Scanning), etc.);
• Understanding of application security issues, best practices, and standards such as OWASP Top 10, OWASP ASVS, OWASP WSTG, OWASP Cheat Sheet Series, and the like;
• Some proficiency in languages such as Python, Go, Powershell, Bash or Javascript;
• Intermediate to advanced English.

Desirable Hard Skills 💕 

• Ability to perform security reviews on Javascript code;
• Familiarity with a cloud service provider such as AWS, Azure, GCP, or DigitalOcean;
• Familiarity with security on containerization and orchestrators (Docker, Kubernetes, etc..) can be a nice-to-have;
• Familiarity with threat modelling and related standards and methodologies (DREAD, STRIDE, PASTA, etc.);
• Understanding of compliance frameworks like ISO 27001, SOC 2, or GDPR;
• Relevant certifications such as OSCP, OSWE, CBBH, CPTS, BSCP, PNPT, DCPT, CRTO, CRTP, eJPT, eWPT, and the like are nice-to-have but not mandatory.

Soft Skills ✨

• Ability to collaborate with development teams to ensure that applications are designed with security in mind;
• Excellent problem-solving and troubleshooting skills;
• Effective communication and collaboration skills with both technical and non-technical stakeholders;
• Strong analytical skills to identify root causes of complex issues and develop effective solutions;
• Staying updated with emerging technologies and trends in the field is important for continuous learning.
• Passion: Genuine enthusiasm for what you do and how it contributes to our company's mission;
• Dream: Proactively seek out opportunities and challenges to achieve extraordinary results. If you're someone who takes initiative and is always striving to improve, you'll fit right in;
• Own: Take ownership of your work, set high standards for yourself, and be accountable for outcomes demonstrating a strong sense of responsibility and commitment; 
• Trust: Recognizing the importance of trust and support and actively working towards a collaborative and inclusive workplace;
• Share: Communicating openly and transparently, ensures clarity and honesty in interactions. 

What You'll Do 🖥️

• Update dependencies and change small pieces of code to fix vulnerabilities;
• Triage and handle security issues through our vulnerability management process;
• Support and conduct penetration testing across diverse environments, including web applications, APIs, and cloud platforms;
• Perform threat modelling of new projects and features before and while they are being developed;
• Conduct security architecture and code reviews in order to make recommendations on fixes and mitigation strategies;
• Help write security documentation, especially in regards to application security;
• Build security tooling and automation for internal use;
• Promote security awareness and advocate for best practices within the organization;
• Communicate risks and mitigations effectively.