Roles and Responsibilities

Junior Security Engineer

• Vulnerability management: Analysis and report of vulnerabilities using a variety of sources.

• Internal pentest focused on infrastructure and web application.

• Education of developers on best practices for secure coding.

• Review security alerts.

• Participate in projects related to security.

• Support to bug bounty programs.

• Access control activities.

• Participate in forensic analysis.

• Support for more senior security engineers.

Senior Security Engineer

In addition to a junior security engineer, a senior security engineer also does the following.

• Leverage understanding of fundamental to advanced security concepts.

• Constantly improve product security.

• Triages and handles/escalates security issues independently.

• Leads one or more security initiatives.

• Conduct security architecture reviews and makes recommendations.

• Interview security candidates during hiring process.

• Detect and respond to company-wide security incidents.

• Log analysis.

• Security forensics.

• Develop and implement preventative security measures (detection, monitoring, exploitation).

• Vulnerability management - triage and manage vulnerabilities identified through scanning and manual efforts.

• Identify and mitigate complex security vulnerabilities before an attacker exploits them.

• Communicate risks and mitigations across multiple audiences with varying levels of sensitivity.

Staff Security Engineer

In addition to a senior security engineer, a staff security engineer also does the following.

• Research and implement technical and process improvements for security at Rocket.Chat.

• Discover security issues through penetration testing, source code review and design review.

• Communicate issues and their severities to teams across Rocket.Chat with clear recommendations for how to fix them. Assist with fixing issues as needed.

• Leads one or more security initiatives.

• Develop security training and guidance to internal development teams.

• Help review most important features and security fixes, also submitting pull requests.

• Maintain handbooks about best security practices.

• Provide subject matter expertise on architecture, authentication and system security.

• Assess security tools and integrate tools as needed into the development process, particularly open-source tools.

• Manage and grow bug bounty-like programs.

• Ability to discover and patch XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond).

• Write public blog posts and represent Rocket.Chat as a speaker at security conferences when necessary.

• Proactively identify and reduce security risks in our code.

• Find and replace vulnerable code and code libraries.

• Consult with other Developers and Product Managers to analyze and propose application security standards, methods, and architectures.

• Educate other developers on secure coding best practices.

Application Security Engineer

• Work with project managers and technical leads to implement and improve processes regarding SDLC

• Define and implement an application security strategy

• Designing and implementing security controls within our application stack

• Generate and improve reports to guarantee that all processes are healthy

• Conducting code reviews and threat modeling to identify and mitigate potential security vulnerabilities

• Maintain and improve our current tooling that detects vulnerabilities in the development process

• Contributing security-focused feedback to engineers during all phases of the development lifecycle

• Seeking out opportunities to automate processes when appropriate

• Communicating risks to engineering staff through training and technical demonstration of vulnerabilities and secure design patterns

• Maintaining and creating secure development practices and programs for our engineering teams and external developers Acting as an ambassador for security within Rocket.Chat