Application Security Engineer

This position is open exclusively for
Ukrainian residents within Ukraine
(preferably Kyiv or Lviv).

Cossack Labs is looking for an Application security engineer to join our Security team and work with us on building and breaking software. If you are interested in designing and building security controls, working hand-in-hand with software developers, performing security assessments, this may be the position for you.

We are ready to invest time in your education if you are prepared to work diligently and responsibly. Alongside technical skills, we'll teach you leadership, time management, business context, and how to keep improving cybersecurity despite the ever-increasing entropy of the world.

Responsibilities:

• Perform security assessment and review of code and behavior of systems (web, API, backends).
• Participate in SSDLC for our products and our customers' products. Explain risks & threats, work together with developers to select security controls that would improve security without restricting usability/performance.
• Take part in organisation security practices and work with business owners (risk assessment, craft policies for organisations, guide companies for more secure future).
• Stay up to date with emerging security threats, vulnerabilities, and controls (read articles and papers, follow CVE updates, understand how threat landscape is changing, understand how to apply described ideas, read NIST guidelines).
• Dive into application security, infrastructure security, cloud and on-prem infrastructures, dedicated hardware, IoT security, ML security, and weird stuff beyond casual imagination with our team of skilled engineers. See example of our work.
• Share your work as conference talks, blogposts (see Security autotests post), contribute to open source standards like OWASP.

Requirements:

• 2+ years as an application security engineer or similar position.
• Experience in performing security assessment for web applications.
• Experience in selecting or designing security controls in a technically diverse environment.
• Be familiar with application security verification and software maturity frameworks: OWASP SAMM, OWASP ASVS.
• Understanding SSDLC (OWASP SSDLC, NIST SSDF).
• Communication skills: you will communicate about security technical topics with both technical and non-technical audiences (C-level managers, developers, product owners).
• An overall understanding of what information security is, how real-world risks and threats affect the choice of security controls.
• Experience in popular security tools required for the job, or ability to learn them quickly (Burp Suite, network analysers, various SAST and DAST, dependency and vulnerability scanners).

Nice to have:

• A certain area of expertise and deep interest: web, mobile, IoT, infrastructure — an area where you have "seen things" and ready to share experience.
• Basic knowledge in cryptography: understanding the differences between symmetric and asymmetric cryptography, hashing, KDF.
• Understanding security standards and methodologies (NIST, ISO, CMMI, SOC).
• Understanding risk management and threat modelling (NIST RMF, FAIR, STRIDE, MITRE ATT&CK).
• Practical experience in scripting languages: Python or Bash.

Our hiring process:

• Resume review — 1-5 business days.
• Test task — estimated time 3-4 hours.
• Introductory meeting with the Head of security engineering.
• Technical interview with several team members.
• Offer discussion.

What's in it for you?

• A sense of meaning and responsibility for those who seek purpose — we're building "invisible texture of modern civilization"—bits of infrastructure finance, power grids, healthcare rely on, and we are trusted with very challenging aspects of it.
• Competitive compensation with a flexible bonus scheme.
• Hybrid work model: this position allows for a combination of in-office and remote work as needed.
• UK, EU and USA clients.
• Working at the crossroads of ML security, cryptographic protocol support, hardware protection, reverse-resilient mobile app development, and securing web apps for millions of users.
• Public track record in the open-source aspect of our products.
• Conferences, books, courses — we encourage learning and sharing with the community. Our team members share a lot in talks, workshops, and blog posts.
• Paid vacation — 21 business days per year.
• Paid sick leaves.