crash4g

Fitibit is building a new security team in Bucharest and is looking for experienced incident responders. Team Mission The information security team exists to create a culture of information security within Fitbit to ensure that our data and our customer's data remain safe. We aim to achieve this by looking for innovative solutions that allow the business to deliver at scale and velocity. We also like to try and have a little fun along the way. Main Responsibilities Own Our Incident Response Processes Take control of incident response at Fitbit and be the key contact person in the event of a major incident Improve our incident response processes and procedures Detect Incidents Monitor output from anti-malware tooling Understand and monitor our applications for signs of compromise Develop tooling to help facilitate ongoing low false-positive monitoring Integrate into our change management processes to detect unauthorized change Understand and monitor our production and corporate infrastructure for signs of compromise Triage and escalate alerts Respond to Incidents Assist with investigations into suspected incidents Create processes and tooling to increase the efficiency of the response process Identify Opportunities for Improvement Assist the information security team to identify better ways of achieving their mission Assist with the development and integration of incident detection and response tools Assist with the development and integration of security incident prevention tools Characteristics of a Good Applicant Self-sufficient and self-guided Someone who can create new processes (i.e. not just someone who is used to executing a process that someone else has created) Broad knowledge of all areas of information technology including networking, operating systems and ideally application development Experience in information security, specifically in incident response Experience as a system administrator, developer or security engineer Understanding of techniques used by malware and of basic malware analysis methodologies Solves problems through scripting and automation Willing to learn new things Willing to look at for innovative or non-standard solutions to problems Good sense of humor Calm under pressure Good time management skills More details can be found here: https://grnh.se/uejf5slr1

Fitbit is building a new security team in Bucharest. Full details here: https://grnh.se/gmt7lrkc1 Brief description of the job: The application security team at Fitbit is responsible for overseeing the secure design and implementation of applications. We do this by: Consulting with software engineers to ensure the relevant controls are built into their work Assessing software produced by Fitbit and its partners Participating in the security community to understand new and emerging threats We try to find achieve our mission through innovative ways of collaborating with our software teams that allow them to continue to deliver at scale and ve What You’ll Work On: Conduct threat modelling exercises New security sensitive functionality (e.g. changes to authentication flows) require a security team member to be involved New application infrastructure, e.g. entirely new SOA services required a feedback from a security engineer Provide application security consulting to engineers Perform manual and automated code review Our goal is to automate us much of our role as possible Create rules to help us to identify software that should be manually reviewed by a skilled application security engineer Help enable self-service reviews for engineers Work on tooling to expedite the process of doing software reviews Perform ad-hoc application assessments Assist with Fitbit’s Bug Bounty programs Help with the replication, prioritization and filing of issues identified via our bug bounty programs Assist with Fitbit’s developer outreach efforts Share root cause analysis information with our outreach team to ensure we’re educating our engineers about common security pitfalls and how to avoid them Required Skills: Significant experience in application penetration testing and source code review Knowledge of mobile and web application architecture Ability to read and break code written in different languages, emphasis on Java Strong understanding of applied cryptography Strong understanding of web application security technologies like CORS, OAuth, JSONP and browser security concepts such as the same origin policy Experience with static and dynamic application security tools A passion for security and technology Experience in a variety of software development environments and knowledge of contemporary agile software development methodologies Experience with test-driven development and other agile practices Broad knowledge of all areas of information technology including networking, operating systems and ideally application development Strong software development skills in at least one language Aspires to develop a deep understanding of information security Experience as a system administrator or security engineer Experience with managing information security incidents Solves problems through scripting and automation Willing to learn new things Willing to look at for innovative or non-standard solutions to problems Good sense of humor Calm under pressure Good time management skills Interactions with other teams The application security team is responsible for consulting with software engineering teams about the best and safest way to implement their features. They are also responsible for reviewing the output of software engineering teams for safety. As such, strong interpersonal skills are required. This person needs to be able to diplomatically provide software engineers with advice, and to coach developers through problems that may be identified in their work. The successful applicant will be able to positively influence software engineers’ behaviour through their interactions. Nice-to-Have Skills: Have a strong development background Background in infrastructure penetration testing Experience with compliance such as PCI and/or ISO27000 Experience with exploit/proof of concept development Experience in information security consulting Experience in in-house application security teams at larger technology companies with a reputation for security engineering Had incident response experience Developed tooling to automate information security tasks Have a wide knowledge from diverse parts of IT Worked on open source security projects