Block.one is a software publisher specializing in high performance blockchain technologies. Its first project, EOSIO, an open-source blockchain protocol designed to enable secure data transfer and high-performance decentralized applications, has received global recognition as the first performant blockchain platform for…
We are looking for a [Senior] Security Researcher to be a champion and technical leader our journey to build a top grade Product Security organization. You will partner with Engineering, IT and other partners to deliver secure software. You will work on source code and design reviews, fuzzing, penetration testing of applications, and code / vulnerability remediation support. You will help us teach and lead engineering and product down the path of how to develop and deliver secure software - working elbow to elbow with your peers at Block.one.
The ideal candidate will be a mix of hacker, programmer and security evangelist.
- Work as a key security researcher within an elite engineering team delivering industry-leading blockchain protocols and applications
- Perform web application penetration testing, source code reviews, and/or network penetration testing.
- Support project tasks and deadlines for engineering teams spanning multiple timezones.
- Create unique tools to assist in research project goals.
- Exploit vulnerabilities found in product systems; and clearly communicate complex vulnerabilities to both technical and non-technical staff.
- Create detailed technical reports explaining technical and business risk of the vulnerabilities found to include actionable recommendations/considerations.
- Participate in project conference calls with internal engineering stakeholders
- Provide technical leadership/mentorship to the security and engineering teams.
- Contribute to the security industry through presentations, blog posts, whitepapers, responsible disclosure, and/or research.
- Participate in and help lead the broader secure software community at Block.one via the Application Security (AppSec) Guild.
- A combination of formal education and experience in the following areas:
- Performing senior-level penetration testing and other application security assessment activities.
- Performing design code reviews
- Demonstrating high ethical standards
- Developing and/or delivering training in secure application development practices
- Applying offensive security methodologies
Education and Industry Experience
In general we are looking for a Bachelor's degree and 5+ years of experience or an advanced degree and 3+ years experience in a relevant field to cyber security, or equivalent experience.
Relevant experience could be a traditional Computer Science background with formal or avocational focus on security tools and techniques, a formal degree or certificate cyber security program, direct experience in a cyber security role such as security architect or pen-tester or equivalent experience. Non-traditional backgrounds are also welcome provided you can demonstrate the requisite skills and knowledge through both direct assessment and documentation of experience.
Required Skills and Knowledge
We are looking for a team member with skills and knowledge meeting most of the following topics. Every individual is different and we understand people will be strong in some areas and be not as strong in some areas. In particular we understand an entry level candidate will have limited exposure to some areas of security practice and software engineering.
We seek a candidate with strong technical skills in a variety of areas. As a senior candidate you will have some experience in most or all of these areas and will consider yourself an expert in at least a few of them. This includes:
- Familiarity with attack tools such as Metasploit, Burp Suite, Fuzzing, Gauntlt, Kali Linux and similar tools.
- Network penetration testing
- Mobile application penetration testing (iOS and Android)
- Web Services penetration testing (RESTful and SOAP)
- Hardware/Embedded system hacking
- Reverse Engineering
- Proficiency with basic Linux systems privilege and permission models, admin and operational concepts, and basic scripting.
- Basic understanding of orchestration and automation tools including at least one of Ansible, Chef, Puppet, Terraform or Saltstack.
- Possess a strong understanding of application architectural patterns, such as MVC, Microservices, Service Oriented Architecture, Serverless, Message bus/event driven, etc.
- Organized and capable of executing complex plans with minimal direction.
- Possess a restlessness and desire to break and break and break into things.
- Knowledge of common attacks and vulnerabilities including OWASP Top 10 and SANS CWE 25.
- Strong self-starter who has the ability to operate independently.
- Developed communications skills with ability to deliver concepts effectively to non-technical audience including senior leadership; proficiency in preparation of presentations, analytical reports, and documents regarding program operational status, achievement and performance. This includes a requirement for a high proficiency in written and spoken English.
A senior and well rounded individual may have additional skills and experience. These are not required but will be highly valuable in this role.
- Understanding of and experience with:
- The practice of software development across a larger organization.
- Understanding of Agile fundamentals like Test Driven Development, backlogs and user Stories
- Understanding of Continuous Integration/Testing/Delivery tools and techniques.
- Familiarity with scanning and intelligence tools such as Qualys, Tenable/Nessus, jFrog xRay and Black Duck.
- A passion for agile development methodologies including TDD/XP/Scrum/Kanban
- Experience with public cloud concepts, architectures and tools (AWS, Azure and/or GCP).
- Application Security and Penetration Testing certifications such as OSCP, OSCE, OSWE and CEH.
- Other Information and Cyber Security certifications including CISSP, CISM, CompTIA Security+ and GSEC.
- Experience and history of external communications including papers and conference presentations.
About Block.one LLC
Block.one LLC is a creator of Decentralized Autonomous Corporations (DACs), a concept introduced by CTO Daniel Larimer in 2014 that empowers open source communities to disrupt existing centralized business models. Currently we, along with others globally, are developing EOSIO, a revolutionary open-source decentralized blockchain infrastructure that will be used worldwide as the basis for developing countless high-throughput blockchain applications. We are looking for extraordinary technology professionals to join the Block.one LLC team in our continuing quest to enhance, refine and scale EOSIO for our rapidly expanding developer community.
Published by Block.one, EOSIO is a blockchain protocol that enables horizontal scaling of decentralized applications, allowing developers to efficiently create high performance distributed applications. The EOSIO software provides accounts, authentication, databases, and the scheduling of applications across multiple CPU cores and/or clusters. This allows for horizontal scalability, replaces user fees with an ownership model, and powers simple deployment of decentralized applications. Check out the EOSIO GitHub repository to read our source code and, for more information, visit the resources section of the EOSIO website.