Fitbit is building a new security team in Bucharest.
Full details here: https://grnh.se/gmt7lrkc1
Brief description of the job:
The application security team at Fitbit is responsible for overseeing the secure design and implementation of applications.
We do this by:
Consulting with software engineers to ensure the relevant controls are built into their work
Assessing software produced by Fitbit and its partners
Participating in the security community to understand new and emerging threats
We try to find achieve our mission through innovative ways of collaborating with our software teams that allow them to continue to deliver at scale and ve
What You’ll Work On:
Conduct threat modelling exercises
New security sensitive functionality (e.g. changes to authentication flows) require a security team member to be involved
New application infrastructure, e.g. entirely new SOA services required a feedback from a security engineer
Provide application security consulting to engineers
Perform manual and automated code review
Our goal is to automate us much of our role as possible
Create rules to help us to identify software that should be manually reviewed by a skilled application security engineer
Help enable self-service reviews for engineers
Work on tooling to expedite the process of doing software reviews
Perform ad-hoc application assessments
Assist with Fitbit’s Bug Bounty programs
Help with the replication, prioritization and filing of issues identified via our bug bounty programs
Assist with Fitbit’s developer outreach efforts
Share root cause analysis information with our outreach team to ensure we’re educating our engineers about common security pitfalls and how to avoid them
Required Skills:
Significant experience in application penetration testing and source code review
Knowledge of mobile and web application architecture
Ability to read and break code written in different languages, emphasis on Java
Strong understanding of applied cryptography
Strong understanding of web application security technologies like CORS, OAuth, JSONP and browser security concepts such as the same origin policy
Experience with static and dynamic application security tools
A passion for security and technology
Experience in a variety of software development environments and knowledge of contemporary agile software development methodologies
Experience with test-driven development and other agile practices
Broad knowledge of all areas of information technology including networking, operating systems and ideally application development
Strong software development skills in at least one language
Aspires to develop a deep understanding of information security
Experience as a system administrator or security engineer
Experience with managing information security incidents
Solves problems through scripting and automation
Willing to learn new things
Willing to look at for innovative or non-standard solutions to problems
Good sense of humor
Calm under pressure
Good time management skills
Interactions with other teams
The application security team is responsible for consulting with software engineering teams about the best and safest way to implement their features. They are also responsible for reviewing the output of software engineering teams for safety.
As such, strong interpersonal skills are required. This person needs to be able to diplomatically provide software engineers with advice, and to coach developers through problems that may be identified in their work.
The successful applicant will be able to positively influence software engineers’ behaviour through their interactions.
Nice-to-Have Skills:
Have a strong development background
Background in infrastructure penetration testing
Experience with compliance such as PCI and/or ISO27000
Experience with exploit/proof of concept development
Experience in information security consulting
Experience in in-house application security teams at larger technology companies with a reputation for security engineering
Had incident response experience
Developed tooling to automate information security tasks
Have a wide knowledge from diverse parts of IT
Worked on open source security projects