Cossack Labs — вакансії

Cossack Labs is looking for an Security Solutions Architect to join our Security team and work with us on building secure software and solutions for our customers. If you are interested in designing and building security solutions that address complex risks and threats, reviewing and implementing API protocols and subsystems, designing security controls, working hand-in-hand with software developers to build secure systems – this may be the position for you.
Markets: EU, UK, USA.

You will:

• Architect security features, modules and protocols in mission critical software, ensuring alignment with business objectives, functional and non-functional requirements.
• Assess and evaluate the security design of systems, components and their API.
• Search for security weaknesses in software designs from novel fields and areas.
• Perform risk analysis and threat modelling to evaluate available and missing security controls.
• Collaborate with stakeholders, including developers, product managers, and executives, to gather requirements and translate them into security architecture.
• Participate in SSDLC for our products and our customers’ products. Explain architecture choices, work together with developers to select security controls that would improve security without restricting usability/performance.
• Stay up to date with emerging security threats, vulnerabilities, and controls (read articles and papers, follow CVE updates, understand how threat landscape is changing, understand how to apply described ideas, read NIST guidelines).
• Dive into application security, infrastructure security, cloud and on-prem infrastructures, dedicated hardware, IoT security, ML security, and weird stuff beyond casual imagination with our team of skilled engineers. See example of our work.
• Share your work as conference talks, blogposts (see React Native security example, contribute to open source standards like OWASP.

We would expect you to have:

• Experience designing and implementing security controls in a technically diverse environment.
• Experience in performing design review and architecture for multi-component systems (web, cloud, hardware).
• Understanding security standards and methodologies (NIST, ISO, CMMI, SOC).
• Understanding SSDLC and its difficulties. OWASP SSDLC, NIST SSDF.
• Communication skills: you will communicate about security technical topics with both technical and non-technical audiences (C-level managers, developers, product owners).
• An overall understanding of what information security is, how real-world risks and threats affect the choice of security controls. How to combine detective, preventive and corrective controls.
• Experience in popular security tools required for the job, or ability to learn them quickly.

As a plus you’d have:

• Understanding risk management and threat modelling (NIST RMF, FAIR, STRIDE, MITRE ATT&CK).
• Understanding of application security verification and software maturity frameworks: OWASP SAMM, OWASP ASVS, OWASP MASVS.
• A certain area of expertise and deep interest: web, cloud, IoT, infrastructure – an area where you have “seen things” and ready to share experience.
• Experience with clouds: AWS, Azure, GCP, understanding the "cloud responsibility gap".
• Basic knowledge in cryptography: understanding the differences between symmetric and asymmetric cryptography, hashing, KDF.
• Knowledge in one of several business domains: banking/finance/payment processing, cryptocurrencies.
• Practical experience in any programming language.