Senior Offensive Security Engineer
The team is comprised of our Defensive and Offensive Engineering teams alongside our Information Security Officers, whilst our CISO leads the operation. Our security team interact with the product and platform engineering teams across the company to promote best practices and awareness. They’re continually baking security into our culture, utilising new technologies and open-source tools to ensure high standards of security are maintained.
Form3’s Offensive Security Engineering division is becoming rapidly more sophisticated in their approach to security testing. This team is tasked with identifying vulnerabilities and continually improving our resilience from attackers from the attacker’s perspective. With a wide range of tools and technologies available to you this is your opportunity to help Form3 protect its most important assets and services. Below are some examples of projects the team is working on:
- Penetration Testing the increasingly growing ecosystem of Form3.
- Conduct code reviews and security reviews of Form3’s Infrastructure (Cloud, Kubernetes).
- Participate in threat modelling sessions and help in vulnerability remediation.
- Maintaining and advocating the DevSecOps mindset we have created across the business.
- Creating new tools and methodologies to enable our team to deploy creative and effective threat assessments.
- Researching new security vulnerabilities, threats and exploits.
- Infrastructure: AWS, GCP, Azure, Kubernetes (this will increase as we go cloudagnostic)
- Platform: CockroachDB, EKS, GKE, PostgresDB, Vault, Consul, Linkerd, Cilium, NATS
- Tools: Terraform, Github, Flux, Prometheus, Pact.io, TFSec, Travis CI
- Code: Go, (a little Java), CQRS, Open-Source, Python (Security tools)
- Ways of working: DevSecOps, GitOps, TDD/BDD, Pair Programming, 100% Remote
WHAT WE NEED FROM YOU AND WHY
- Confidence within a DevSecOps environment, here at Form3 DevSecOps is our chosen methodology/ mindset so experience with automatic code analysis, IaC (Terraform preferably) security and CI/CD pipeline security reviews is critical here. This extends to having the ability to not only test but offer hands-on assistance in the remediation stages.
- In depth knowledge of Web Application penetration testing and experience with source code reviews. Manual penetration testing experience together with the ability to develop automated testing scripts.
- Experience in Cloud-Native/ Multi-Cloud offensive security engineering. Form3 is rapidly approaching it’s goal of becoming platform-agnostic, our OffSec team is tasked with offering business leaders a clear perception of the cloud threat landscape through extensive testing and research.
- Experience in Kubernetes and Container security reviews and exploitation. Running on a micro-service, distributed architecture, our OffSec team are challenged with finding and exploiting vulnerabilities and loopholes to ensure that our architecture is as secure and impenetrable as possible, networks and bare metal are included within this scope.
SPECIFIC DESIRABLES AND YOUR SPECIALISMS
- Strong programming skills, we are flexible on languages, we use Go as our main language for production so a willingness or interest to learn Go is fundamental. In security we write our own scripts for automation in Python, Go and other languages while contributing to open-source tools so we can utilise them.
- In-depth knowledge and capabilities using Linux and Unix technologies and how these can be used in the attack matrix to allow for privileged escalation and lateral movement.
- Active contribution to Open-Source projects and tools is highly encouraged at Form3 so prior interest in this is always welcomed.
- Keen interest in new and emerging threats, vulnerabilities and adversary advancements coupled with the ability to present these to the wider team.
- Qualifications: OSCP, OSWE, CCT App or Inf (or equivalent), CCSAS, CCSP, Cloud Specific Qualifications
- 30 days holidays plus public holidays
- 100% remote work
- Flexible working arrangements
- Statutory benefits
- Health & wellness allowance
- Remote working equipment allowance
- Primary caregiver leave
- Learning days, Udemy and educational reimbursement etc.
- Mental Health support via Spill
- Perlego subscription
- Full details available on our careers page
OUR DEI&B COMMITMENT
We hire talented people from a variety of backgrounds and experiences and are committed to a work environment based on diversity, open-mindedness and curiosity. We’re united by our company values (we even created them together!) and we celebrate our unique differences.
Our employee lifecycle processes are designed to embrace equal opportunity and prevent discrimination against our people regardless of personal characteristics. It is our strong belief that the more inclusive and belonging we are as a business, the better our work will be.
As an inclusive employer, we guarantee to interview all neurodiverse and physically disabled applicants who meet the minimum criteria for this role. We also encourage candidates to notify us of any reasonable adjustments that may be required during the recruitment process. This includes providing job adverts in alternative, accessible formats or adjustments required at interview stage.
If you consider yourself to be neurodiverse or physically disabled under the UN definition of disability and would like to be considered under this scheme and/or require any reasonable adjustments please let us know by sending an email to email@example.com clearly stating your consent for us to process this data.
For more information please refer to our Recruitment Data Policy.