Rocket.Chat Handbook

Roles and Responsibilities

Security roles at Rocket.Chat
Junior Security Engineer
  • Vulnerability management: Analysis and report of vulnerabilities using a variety of sources.
  • Internal pentest focused on infrastructure and web application.
  • Education of developers on best practices for secure coding.
  • Review security alerts.
  • Participate in projects related to security.
  • Support to bug bounty programs.
  • Access control activities.
  • Participate in forensic analysis.
  • Support for more senior security engineers.
Senior Security Engineer
In addition to a junior security engineer, a senior security engineer also does the following.
  • Leverage understanding of fundamental to advanced security concepts.
  • Constantly improve product security.
  • Triages and handles/escalates security issues independently.
  • Leads one or more security initiatives.
  • Conduct security architecture reviews and makes recommendations.
  • Interview security candidates during hiring process.
  • Detect and respond to company-wide security incidents.
  • Log analysis.
  • Security forensics.
  • Develop and implement preventative security measures (detection, monitoring, exploitation).
  • Vulnerability management - triage and manage vulnerabilities identified through scanning and manual efforts.
  • Identify and mitigate complex security vulnerabilities before an attacker exploits them.
  • Communicate risks and mitigations across multiple audiences with varying levels of sensitivity.
Staff Security Engineer
In addition to a senior security engineer, a staff security engineer also does the following.
  • Research and implement technical and process improvements for security at Rocket.Chat.
  • Discover security issues through penetration testing, source code review and design review.
  • Communicate issues and their severities to teams across Rocket.Chat with clear recommendations for how to fix them. Assist with fixing issues as needed.
  • Leads one or more security initiatives.
  • Develop security training and guidance to internal development teams.
  • Help review most important features and security fixes, also submitting pull requests.
  • Maintain handbooks about best security practices.
  • Provide subject matter expertise on architecture, authentication and system security.
  • Assess security tools and integrate tools as needed into the development process, particularly open-source tools.
  • Manage and grow bug bounty-like programs.
  • Ability to discover and patch XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond).
  • Write public blog posts and represent Rocket.Chat as a speaker at security conferences when necessary.
  • Proactively identify and reduce security risks in our code.
  • Find and replace vulnerable code and code libraries.
  • Consult with other Developers and Product Managers to analyze and propose application security standards, methods, and architectures.
  • Educate other developers on secure coding best practices.
Application Security Engineer
  • Work with project managers and technical leads to implement and improve processes regarding SDLC
  • Define and implement an application security strategy
  • Designing and implementing security controls within our application stack
  • Generate and improve reports to guarantee that all processes are healthy
  • Conducting code reviews and threat modeling to identify and mitigate potential security vulnerabilities
  • Maintain and improve our current tooling that detects vulnerabilities in the development process
  • Contributing security-focused feedback to engineers during all phases of the development lifecycle
  • Seeking out opportunities to automate processes when appropriate
  • Communicating risks to engineering staff through training and technical demonstration of vulnerabilities and secure design patterns
  • Maintaining and creating secure development practices and programs for our engineering teams and external developers Acting as an ambassador for security within Rocket.Chat