As an Offensive Security Engineer at Vimeo, you will use the latest and greatest open-box and closed-box techniques to identify security weaknesses in our customer-facing web applications, our mobile applications, our backend microservices, our internal employee-facing services, and our cloud infrastructure.

You will have staging and production environments at your disposal to hack on everything from our oldest legacy components to our newest unreleased features.

You will partner with fellow pen testers to plan, carry out, and lead initiatives related to ethical hacking, red teaming, and pen testing.

You will collaborate heavily with the rest of the Application Security team, as well as the greater security team, in a variety of activities, mostly offensive in nature, ultimately aimed at safeguarding our users who entrust Vimeo with their content every day.

You will work frequently with and support developers, as well as members of the infrastructure security team, the compliance team, IT, Product, and other teams throughout the organization.

Do you love to solve puzzles? Are you a great team player? Do you care tremendously about code quality? Then please consider joining our team!

What you’ll do:

• Internal open-box ethical hacking
• Red teaming exercises
• Assisting with periodic external penetration tests
• Mentoring colleagues
• Other potential tasks — managing our public bug bounty program, threat modeling of new features, code reviews, installation and tuning of SDLC automation, incident response, developing internal ad hoc security tools, collaborating with the infrastructure security team, collaborating with the compliance and privacy team, promoting security awareness throughout the organization, teaching defensive coding standards, consulting on remediation strategies, etc.
• A typical day will look like this:
• Pentest a new feature in a staging environment
• Manual source code audit for vulnerabilities in legacy components
• Meet with folks on the Product team to learn about their newest upcoming features
• Validate a recent remediation effort by reading the PR and hacking on the feature
• Review a few new tickets in our bug bounty program (http://hackerone.com/vimeo)
• Check an alert from a tool that continuously monitors our infrastructure for exposed services
• Assist the compliance team on a privacy-related project
• Provide technical advice in response to occasional questions from developers and other members of the security team

Skills and knowledge you should possess:

• 8+ years experience in Application Security preferred
• Expertise with web application penetration testing
• Mastery detecting and exploiting all vulnerabilities on the OWASP Top 10, as well as others
• Strong knowledge of modern web, mobile, and network security
• Ability to read code in all of the following languages Python, Go, PHP, Javascript, and Ruby
• Knowledge of modern frameworks
• Confident working in and across cloud environments like AWS and GCP. Detailed knowledge of at least one cloud environment.
• Confident with shell scripting and/or Python
• Confident with common SDLC components, like git, Jira, Jenkins, etc.
• Confident ability to communicate technical security concepts to developers
• At least an upper-intermediate level of English
• Expertise with Burp or OWASP Zap, as well as other semi-automated tools for enumeration, content discovery, exploitation, etc.

Bonus points (nice skills to have, but not needed):

• Links to HackerOne/BugCrowd/Intigriti/Synack profile
• Links to CVEs discovered
• Link to a Github repo with security tools/scripts you’ve developed or help maintain
• Full-stack web development experience creating RESTful applications (in any language)
• Open source vulnerability research or blog posts

#LI-TA1