As an Application Security Engineer at Vimeo, you will engage in a variety of activities, either offensive, defensive, or some combination thereof, ultimately aimed at safeguarding our users who entrust Vimeo with their content every day.

You’ll plan, carry out, and lead security initiatives to monitor and protect sensitive data and systems from infiltration and cyber-attacks.

You will likely collaborate frequently with and support developers, as well as members of the infrastructure security team, the compliance team, IT, Product, and other teams throughout the organization.

You love to solve puzzles, and are a great team player.

This role is remote.

What you’ll do:

Depending on your preferences and the current needs of the team, you may either focus on just one or two of the following areas, or you may choose to become involved with many of them.

• Penetration testing — either hunt for security issues on our production or staged applications during an open-box internal pen test, or help coordinate an engagement with an external firm
• Threat modeling — consider how malicious attackers may compromise our systems, and advise developers and product managers on what defenses are needed
• Code reviews — discover weakness in our source code before it reaches production
• Bug bounty program — help triage new incoming reports on a daily basis, plus launch creative initiatives to increase researcher engagement on our programs
• Remediation — enable and encourage developers to correctly fix recently discovered security issues in a timely manner, ultimately reducing our Mean Time To Remediate
• Secure Software Development Lifecycle — configure automated tooling (eg. SAST, DAST, IAST) in our SDLC to detect security issues in our source code before it reaches production
• Writing code for internal security tools — write some code, usually in Python, Bash, or Go, to support any of our team's various initiatives
• Developer Education, Security Culture — create fun ways to spread technical security awareness throughout the engineering department
• Incident response — lead or assist in running the various phases of an incident response, including initial detection, triage, containment, recovery, root cause analysis, retrospective, etc.
• Collaboration with the infrastructure security team — pair with members of the infrastructure security team on various projects to secure our cloud instances and employee workstations
• Collaboration with the compliance and privacy team — help ensure that our company complies with industry best practices and standards
• Process improvements — help strengthen our own internal processes and procedures
• A typical day will look like:
• Review new tickets in our bug bounty program (http://hackerone.com/vimeo)
• A call or two with Development, Product Management teams to discuss security-related issues
• Pen test a new feature in a staging environment with Burp Pro
• Assist the compliance team on a privacy-related project
• Provide technical advice in response to occasional questions from developers and other members of the security team

Skills and knowledge you should possess:

• 4+ years experience in Application Security preferred
• Strong knowledge of modern web, mobile, and network security
• Strong programing skills with at least one of the following languages, and the ability to read all of them: Python, Go, PHP, Javascript, and Ruby
• Expertise with application pen testing, using tools like Burp or Zap
• Confident working in and across cloud environments like AWS and GCP. Detailed knowledge of at least one cloud environment.
• Confident with shell scripting
• Confident with common SDLC components, like git, Jira, Jenkins, etc
• Confident ability to communicate technical security concepts to developers
• At least an upper-intermediate level of English

Bonus points:

• Link to a Github repo with security tools/scripts you’ve developed or help maintain
• Full-stack web development experience creating RESTful applications (in any language) is a big plus
• Open source vulnerability research or blog posts is a big plus
• Experience with system security hardening guidelines and SDLC principles

About us:

Vimeo is the world’s leading all-in-one video software solution. Our platform enables any professional, team, and organization to unlock the power of video to create, collaborate and communicate. We proudly serve our growing community of over 200 million users — from creatives to entrepreneurs to the world’s largest companies.

Vimeo is headquartered in New York City with offices around the world.  At Vimeo, we believe our impact is greatest when our workforce of over 650 passionate, dedicated people, represents our diverse and global community. We’re proud to be an equal opportunity employer where diversity, equity and inclusion is championed in how we build our products, develop our leaders, and strengthen our culture.

Learn more at www.vimeo.com

Learn more at www.vimeo.com/jobs