Application Security Engineer

Summary

Join Rocket.Chat's Security team as a Mid-Level Application Security Engineer and work remotely from LATAM. You will report to the Head of Security and be responsible for implementing and maintaining robust security measures, identifying and fixing vulnerabilities, and automating security processes. The role requires experience in penetration testing, knowledge of security assessment tools, and understanding of application security best practices. Desirable skills include experience with cloud services, containerization, and relevant certifications. Rocket.Chat offers a range of benefits including flexible working hours, unlimited paid time off, a company laptop and headphones, remote benefits, access to iTalki, courses and books, stock options, and a multicultural work environment.

Requirements

• Have previous experience with penetration testing of at least 2 of the following: web applications, APIs, cloud environments, mobile applications, or Active Directory
• Possess knowledge of security assessment tools (Nessus, OpenVAS, Trivy, Semgrep, Github Advanced Security (Dependabot, CodeQL, and Secrets Scanning), etc.)
• Understand application security issues, best practices, and standards such as OWASP Top 10, OWASP ASVS, OWASP WSTG, OWASP Cheat Sheet Series, and the like
• Have some proficiency in languages such as Python, Go, Powershell, Bash or Javascript
• Have intermediate to advanced English skills

Responsibilities

• Implement and maintain robust security measures to safeguard the organization's critical assets from cyber threats
• Identify and fix security vulnerabilities
• Automate processes and proactively implement security controls to protect applications
• Update dependencies and change small pieces of code to fix vulnerabilities
• Triage and handle security issues through the vulnerability management process
• Support and conduct penetration testing across diverse environments, including web applications, APIs, and cloud platforms
• Perform threat modelling of new projects and features before and while they are being developed
• Conduct security architecture and code reviews in order to make recommendations on fixes and mitigation strategies
• Help write security documentation, especially in regards to application security
• Build security tooling and automation for internal use
• Promote security awareness and advocate for best practices within the organization
• Communicate risks and mitigations effectively

Preferred Qualifications

• Ability to perform security reviews on Javascript code
• Familiarity with a cloud service provider such as AWS, Azure, GCP, or DigitalOcean
• Familiarity with security on containerization and orchestrators (Docker, Kubernetes, etc.)
• Familiarity with threat modelling and related standards and methodologies (DREAD, STRIDE, PASTA, etc.)
• Understanding of compliance frameworks like ISO 27001, SOC 2, or GDPR
• Relevant certifications such as OSCP, OSWE, CBBH, CPTS, BSCP, PNPT, DCPT, CRTO, CRTP, eJPT, eWPT, and the like

Benefits

• Flexible Working Hours
• Fully Remote
• Unlimited Paid Time Off
• Holidays and Vacation Days
• Company Laptop and Headphone
• Remote Benefit
• ITalki
• Courses and Books
• Stock Options
• Multicultural environment with colleagues in over 26 countries
• Vibrant Company Culture