Roles and Responsibilities

Security roles at Rocket.Chat

Junior Security Engineer

  • Vulnerability management: Analysis and report of vulnerabilities using a variety of sources.

  • Internal pentest focused on infrastructure and web application.

  • Education of developers on best practices for secure coding.

  • Review security alerts.

  • Participate in projects related to security.

  • Support to bug bounty programs.

  • Access control activities.

  • Participate in forensic analysis.

  • Support for more senior security engineers.

Senior Security Engineer

In addition to a junior security engineer, a senior security engineer also does the following.

  • Leverage understanding of fundamental to advanced security concepts.

  • Constantly improve product security.

  • Triages and handles/escalates security issues independently.

  • Leads one or more security initiatives.

  • Conduct security architecture reviews and makes recommendations.

  • Interview security candidates during hiring process.

  • Detect and respond to company-wide security incidents.

  • Log analysis.

  • Security forensics.

  • Develop and implement preventative security measures (detection, monitoring, exploitation).

  • Vulnerability management - triage and manage vulnerabilities identified through scanning and manual efforts.

  • Identify and mitigate complex security vulnerabilities before an attacker exploits them.

  • Communicate risks and mitigations across multiple audiences with varying levels of sensitivity.

Staff Security Engineer

In addition to a senior security engineer, a staff security engineer also does the following.

  • Research and implement technical and process improvements for security at Rocket.Chat.

  • Discover security issues through penetration testing, source code review and design review.

  • Communicate issues and their severities to teams across Rocket.Chat with clear recommendations for how to fix them. Assist with fixing issues as needed.

  • Leads one or more security initiatives.

  • Develop security training and guidance to internal development teams.

  • Help review most important features and security fixes, also submitting pull requests.

  • Maintain handbooks about best security practices.

  • Provide subject matter expertise on architecture, authentication and system security.

  • Assess security tools and integrate tools as needed into the development process, particularly open-source tools.

  • Manage and grow bug bounty-like programs.

  • Ability to discover and patch XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond).

  • Write public blog posts and represent Rocket.Chat as a speaker at security conferences when necessary.

  • Proactively identify and reduce security risks in our code.

  • Find and replace vulnerable code and code libraries.

  • Consult with other Developers and Product Managers to analyze and propose application security standards, methods, and architectures.

  • Educate other developers on secure coding best practices.

Application Security Engineer

  • Work with project managers and technical leads to implement and improve processes regarding SDLC

  • Define and implement an application security strategy

  • Designing and implementing security controls within our application stack

  • Generate and improve reports to guarantee that all processes are healthy

  • Conducting code reviews and threat modeling to identify and mitigate potential security vulnerabilities

  • Maintain and improve our current tooling that detects vulnerabilities in the development process

  • Contributing security-focused feedback to engineers during all phases of the development lifecycle

  • Seeking out opportunities to automate processes when appropriate

  • Communicating risks to engineering staff through training and technical demonstration of vulnerabilities and secure design patterns

  • Maintaining and creating secure development practices and programs for our engineering teams and external developers Acting as an ambassador for security within Rocket.Chat

Last updated