As a Sr. Application Security Engineer at Vimeo, you will engage in a variety of activities, either offensive, defensive, or some combination thereof, ultimately aimed at safeguarding our users who entrust Vimeo with their content every day.
Youll plan, carry out, & lead security initiatives to monitor & protect sensitive data & systems from infiltration & cyber-attacks.
You will likely collaborate frequently with & support developers, as well as members of the infrastructure security team, the compliance team, IT, Product, & other teams throughout the organization.
You love to solve puzzles, & are a great team player.
This role is remote.
What youll do:
Depending on your preferences & the current needs of the team, you may either focus on just one or two of the following areas, or you may choose to become involved with many of them.
- Penetration testing either hunt for security issues on our production or staged applications during an open-box internal pen test, or help coordinate an engagement with an external firm
- Writing code for internal automated security tools write some code, usually in Python, Bash, or Go, to support any of our team's various initiatives. Often we strive to facilitate a culture of paved roads for our developers, such that it is easy for any developer to incorporate security into their designs & implementations
- Threat modeling consider how malicious attackers may compromise our systems, & advise developers & product managers on what defenses are needed
- Code reviews discover weakness in our source code before it reaches production
- Bug bounty program help triage new incoming reports on a daily basis, plus launch creative initiatives to increase researcher engagement on our programs
- Web Application Firewall & Rate Limiting expand coverage & tune new rules while coordinating with developers, support team members, & the site reliability team
- Remediation enable & encourage developers to correctly fix recently discovered security issues in a timely manner, ultimately reducing our Mean Time To Remediate
- Secure Software Development Lifecycle configure automated tooling (eg. SAST, DAST, IAST) in our SDLC to detect security issues in our source code before it reaches production
- Developer Education, Security Culture create fun ways to spread technical security awareness throughout the engineering department
- Incident response lead or assist in running the various phases of an incident response, including initial detection, triage, containment, recovery, root cause analysis, retrospective, etc.
- Collaboration with the infrastructure security team pair with members of the infrastructure security team on various projects to secure our cloud instances & employee workstations
- Collaboration with the compliance & privacy team help ensure that our company complies with industry best practices & standards
- Process improvements help strengthen our own internal processes & procedures
- A typical day will look like:
- Review new tickets in our bug bounty program (http://hackerone.com/vimeo)
- A call or two with Development, Product Management teams to discuss security-related issues
- Pen test a new feature in a staging environment with Burp Pro
- Assist the compliance team on a privacy-related project
- Provide technical advice in response to occasional questions from developers & other members of the security team
Skills & knowledge you should possess:
- Required: 2+ years of prior experience in either software development, devops, or site reliability engineering
- Preferred: prior experience in Application Security
- 4+ total years of relevant experience in Engineering, Application Security, or a similar technical field.
- Strong knowledge of modern web, mobile, & network security
- Expertise with application pen testing, using tools like Burp or Zap
- Confident working in & across cloud environments like AWS & GCP. Detailed knowledge of at least one cloud environment.
- Confident with shell scripting
- Confident with common SDLC components, like git, Jira, Jenkins, etc
- Confident ability to communicate technical security concepts to developers
Bonus points (nice skills to have, but not needed):
- Link to a Github repo with security tools/scripts youve developed or help maintain
- Full-stack web development experience creating RESTful applications (in any language) is a big plus
- Open source vulnerability research or blog posts is a big plus
- Experience with system security hardening guidelines & SDLC principles
Targeted Base Salary Range: $136,000 to $194,500
The base salary range listed above is for candidates located in the U.S., including the New York City metro area.
At Vimeo, we strive to hire & nurture amazing talent across the globe. Actual salaries will vary depending on factors including but not limited to experience, specialized skills, internal alignment & a candidates home base.
Base salary is just one component of Vimeos total rewards philosophy. We offer a wide range of benefits & perks that appeal to the variety of needs across our diverse employee base! Other rewards may include bonus or commission, Restricted Stock Units (RSUs), paid time off, generous 401k match, wellbeing resources, & more.
Vimeo (NASDAQ:VMEO) is the worlds most innovative video experience platform. We enable anyone to create high-quality video experiences to connect better & bring ideas to life. We proudly serve our growing community of nearly 300 million users from creative storytellers to globally distributed teams at the worlds largest companies. Learn more at www.vimeo.com.
Vimeo is headquartered in New York City with offices around the world. At Vimeo, we believe our impact is greatest when our workforce of passionate, dedicated people, represents our diverse & global community. Were proud to be an equal opportunity employer where diversity, equity, & inclusion is championed in how we build our products, develop our leaders, & strengthen our culture.