We are looking for a Senior Security Researcher to work on source code review, fuzzing, penetration testing of applications, and code / vulnerability remediation support.ResponsibilitiesWork as a key security researcher within an elite engineering team delivering industry-leading blockchain protocols and…
As the Vice President of Product Security at Block.one, you will be responsible for the strategy, planning, development, and day-to-day operations of the global product and application security program (PSP) for the company. The product security program encompasses the secure design, engineering, and maintenance by Block.one of its external and internal-facing technologies, both open source and proprietary.
You will grow a best-in-class team of direct hire employees and third party specialists who will develop secure SDLC policies, standards, and guidelines, and drive adoption of new secure application and cloud architectural designs to create groundbreaking, secure blockchain-based applications. You will regularly collaborate with the business heads and the wider security and engineering organizations to address cloud and blockchain security and compliance challenges and engage in a variety of security-related projects and initiatives.
- Grow and manage the global Block.one Product Security Team (PST) to develop and drive programmatic efforts to address external, internal, and emerging application security risks throughout the organization.
- Serve as the company’s Secure Development Lifecycle (SDLC) leader, leading the overall PSP program strategy, developing key policies and standards, and advising company leadership and stakeholders on related subject matter.
- Develop key partnerships with engineering leadership across the company and work to improve knowledge, skills, and abilities within their staff to facilitate positive change in secure coding and engineering.
- In a primarily Agile and DevOps environment, develop and deliver application security strategy, including but not limited to the operating model, staffing, training, and execution plans.
- Working with the application teams, initially in Virginia and Hong Kong, ensure that product security risks are effectively identified and appropriately addressed while maintaining a balance across agility, speed to market, security and usability.
- Develop and facilitate Block.one’s product vulnerability management program, including internal coordination and triage of security-related vulnerabilities, and management of external vulnerability management programs and bug sources.
- Act as an application security evangelist who can translate security concepts into language that is meaningful to varying audiences, including business and technical leader.
- Integrate new and existing security tools, standards, and processes into the development life cycle, including automated static and dynamic analysis, manual code review, fuzzing, and open source testing tools.
- Produce metrics reporting the state of application security programs and performance of development teams against requirements.
- Working with key engineering stakeholders and team members, assess current application security environment with regulatory and industry requirements, to inform areas of noncompliance/gaps to be remediated for all application security requirements, including; GDPR and other global financial services and sovereign regs/industry standards.
- Conduct program / business unit level security architecture assessments to evaluate existing security program and cloud application architecture, identify weaknesses and make recommendations.
- Conduct threat modeling to assess security threats and risks in order to define and implement appropriate architectural security.
- Develop security architecture standards, frameworks and design patterns spanning all layers of security from host, server, mobile, and network to application and data security.
- Stay current with security technologies such as cloud platform security, DevOps security, identity and access products, endpoint security products, network security technology and mobile security technologies and makes recommendations for engineering teams.
- Evaluate and engage with best-in-class 3rd party vendors and specialists as required.
Experience and Qualifications:
- MS Degree in Computer Science, Engineering or a related technical discipline and / or at least 10+ years of related security engineering, R&D leadership, and software engineering experience
- 5+ years of experience with security including architecture or security engineering, user, platform and device authentication, and various levels of access controls and authorization, enterprise directories and their integration with other systems in a large, complex environment
- Experience with application security technologies such as code scanning, FOSS, vulnerability analysis, and security for automated deployments
- Demonstrated knowledge of infrastructure security, including Windows, Unix/Linux, desktop/laptop, and mobile security, as well as knowledge on cryptography and PKI
- Demonstrated ability to think strategically about business, product, and technical challenges
- Experience with a wide range of IT system components including architecture, authentication, connectivity, system hardware and software components, virtualization, cloud computing, and mobile
- Knowledge of application security, including Web Services, as well as Agile and DevOps, mobile security and mobile development
- Proven understanding of security for structured databases and unstructured data
- Experience with enterprise class security products such as Identity Management and Single-Sign-On
- Experience with cloud technologies like Amazon Web Services, GPC, Azure, etc.
- Proven ability to work with compliance frameworks and requirements such as GDPR, SOX, FFIEC etc.
- Demonstrated knowledge of threat modeling frameworks, threat and vulnerability management approaches, and security monitoring and analytics
- Ability to manage 3rd party vendors and contractors
- Experience with authoring secure SDLC guidance, including policies, strategies, and whitepapers
- Prior work experience in financial services or social media / real-time operations environments.
- Ability to work in a fast paced, high tech environment juggling multiple priorities while meeting deadlines.
- Must be committed to a culture of continuous improvement and continuous delivery.
- Exceptional customer service skills, in addition to extensive experience working in a team-oriented, collaborative environment.
- Strong communication, influencing and presentation skills.
- Ability to maintain positive attitude in high pressure situations and manage distributed teams with competing priorities with tight deadlines