Senior/Lead Security Engineer

Do you want to help secure the experience of millions of people every day? If so Quadrant.io is looking for people like you!

The team is responsible for the product security efforts for Quadrant.io products. We’re looking for dedicated security engineers, who are able to influence strategic product security efforts and security direction of existing and new products.

We make ourselves available at every stage in the software development lifecycle, facilitating secure design choices without sacrificing the usability of our products. You’ll own product security effort for several engineering teams within one or more business units

You will work closely with our engineering teams to scope and implement application security reviews throughout the development cycle, including architecture reviews and threat models, secure code reviews, and platform and application penetration testing.

You’ll be encouraged to be an SME and help lead strategic product security initiatives for all the products supported by the team, learn about multiple products, work with engineering architects, and product organization to build secure products.

We are hiring for a senior / lead security engineer on our team.

Key Responsibilities

• Develops and maintains a secured application framework (e.g., models, templates, standards, and procedures) that enables Quadrant.io to develop and implement secure solutions and capabilities that are clearly aligned with the business, technology, and threat drivers.
• Partners closely with the Engineering team and DPO to develops standards and practices for data encryption and tokenization in the organization, based on the organization's data classification criteria.

• Provide our engineers with well-researched security advice to demonstrate vulnerabilities and provide secure development guidance.
• Drafts security procedures and standards to be reviewed and approved by executive management and/or formally authorized by the DPO
• Implement and manage security metrics, definitions, policies and controls
• Write and promote secure development practices for our engineers
• As the security expert, the candidate will work with Engineering teams to ensure applications are secure by design at the onset, performs ad hoc code reviews and reviews vulnerability test results to ensure security frameworks are continuously improved to address gaps. The candidate will review the results and work closely with Engineering teams to remediate the identified security vulnerabilities.
• Conducts or facilitate threat modelling of services and applications that tie to the risks and data associated with the service or application
• Coordinates with DevOps and software engineering teams to advocate secure coding practices, and to escalate concerns related to poor coding practices to the Management

• Coordinates with the DPO to document data flows of sensitive information in Quadrant.io’s developed apps across the organization (e.g., PII or CII) and recommend controls to ensure that this data is adequately secured (e.g., encryption and tokenization)
• Review security technologies, tools and services, and makes recommendations for their use, based on security, financial and operational metrics
• Constantly question existing security practices and routines, and update, replace, or automate them.
• Lead vulnerability assessments, penetration testing, security reviews from attackers' perspective, security assessments reports

• Provide mitigation suggestions from the discovered vulnerabilities.

• Hard-working, independent and able to get things done with minimal direction.
• Deep expertise in security architecture of systems, sandbox implementations, mobile operating systems (Android/iOS), web applications, security protocols and algorithms
• Possess strong background and experience as a successful Software engineer/Architect in building large scale, highly available web and mobile applications.
• Significant experience working on mission critical internet facing applications focusing on the security aspects
• Passion for security and ability to pick up and learn new technological advances very quickly

• Exhibits leadership in guiding, adapts to changes in technology and business domains, has good knowledge of latest trends in the market and is well respected within the team
• Experience with modern identity and access management platforms including MFA.
• Good knowledge and experience in Spring boot, API security including OAuth2/OIDC, Tokens, mTLS, NIST Cybersecurity Framework or ISO 27001/2.
• Strong understanding of OWASP Top 10 and CWE Top 25 would be a PLUS.
• Solid understanding of Public Cloud (pref. AWS) architecture and security. AWS Security certification is a big plus
• Knowledge of secure code analysis using code analysis tools such as sonarqube or Github Advanced Security

• Ability to effectively communicate vision and roadmap to all stakeholders.
• Knowledge/Experience in Agile Development and Management tools, e.g. Jira, Confluance, Jenkins, Sonar, GitHub, Selenium.

• Experience with black box, grey box, and white box security testing of applications, including manual secure code review.
• Able to write scripts for tooling

• Strong grasp of practical cryptography usage, able to recommend the best approach for storage, transport and identity purposes, specifically in the realm of public cloud.
• Offensive mentality and the ability to think of and consider abuse and attack paths as well as the defensive attitude to recommend & prevent them.

With demonstrated experience in the Following:

• CI/CD and DevSecOps methodology
• Architecting and implementing secure, scalable and resilient solutions in a cloud environment
• Incident Response and Digital Forensic

Demonstrated knowledge in the Following will be a plus:

• Block-Chain and Distributed Ledger Technology (DLT)

Hands-on Tools and Technologies:

• Application Security Tools such as Burp, OWASP ZAP, brakeman, other DAST and SAST tools.
• Languages - one or more of: Ruby, Python, Java, Go, Shell, NodeJS, JavaScript, both for performing code reviews and creating your own scripts and tooling (fuzzers, scanners, etc.).

Related Tech Stack knowledge that will be an added advantage:

• Understanding of Modern web technologies and frameworks such as AngularJS,NodeJS, React+Redux, GraphQL, Web-sockets.
• Knowledge in technology used in iOS Application such as SwiftUI, Combine, Tuist, MVVM Architecture, Fastlane, SPM
• Knowledge in technology used in Android Application such as Kotlin, ProGuard, NDK

• Work From Anywhere(Remote work)
• Great Opportunity for Personal and Professional Development
• You will have the opportunity to work internationally, with an international team, and international clients
• You will have the chance to work on solving problems in Data-as-a-Service and AI sectors

• You will have the great opportunity to work in a high growth start-up culture
• You will get the opportunity to work with the top 8 of 10 tech companies in the US