About the Role

This technology professional will be responsible for securing WeWork applications and infrastructure. You will work closely with the engineering teams to ensure security is part of the SDLC. Penetration testing, code review, and threat modeling, will be some of the duties you will be responsible for. Additionally, you will assist with research and development projects that further push the boundaries of the state of information security.

Role Responsibilities:

• Perform penetration tests and code reviews of WeWork applications (Web/Mobile)

• Teach secure development practices to software engineers

• Work with Application Teams to threat model their projects in all aspects of the SDLC

• Make recommendations to help improve WeWork application security posture

• Validate and triage vulnerabilities submitted by researchers from our bug bounty program

• Keep security documentation and policies up to date

• Work with the Security Director to manage third-party audits and compliance reviews

• Assist with automation development of security processes

• Manage all 3rd party security vulnerability scans and triaging of found risks

• Help automate enforcement of PCI and ISO 27001 requirements in our environments

• Advancing your personal knowledge of information security to stay bleeding edge

• Strong troubleshooting skills

Desired Skills and Experience

You should have:

• Solid experience with web/mobile application pentesting

• Solid experience reviewing source code (Rails/Java/PHP/NodeJS/JS/Android/iOS/etc.)

• Solid experience using a scripting language such as python, ruby, etc.

• Solid understanding of web/mobile security fundamentals

• Solid understanding of Linux architecture and security

• Solid understanding of AWS design and cloud security

Preferred Experience

• Bachelor’s degree in Computer Science, Information Systems, or related field and/or 3+ years of equivalent work experience required

• Knowledge of modern enterprise and security architectures, their challenges, common approaches to overcome their challenges, and their inherent security strengths and weaknesses

• Professional certifications such as: OSCP, OSCE, GPEN or other relevant industry certification strongly preferred

• Actively or previously participated security CTF competitions

• Actively or previously participated in Bug Bounty programs such as Hackerone or Bugcrowd

• Has given talk at a major or minor security conference