Senior Security Engineer - Tax Security (Charlotte)

  • Credit Karma
  • San Francisco, CA, USA
  • Mar 25, 2022
Full time Developer JAVA

Job Description

Security is a core value at Credit Karma. We help millions of people better manage their credit. Safeguarding their sensitive information is critical to our continued success. From the CEO down to each individual developer, everyone views security as a personal responsibility. The successful candidate should understand basic concepts such as networking, applications, and operating system functionality and be able to learn advanced concepts such as application manipulation, exploit development, and stealthy operations. Your unique mission as a Software Security Engineer on the Tax Team is to identify potential weaknesses in the foundational infrastructure and core application and strategically reinforce them, enabling the engineering team to focus fiercely on new features. The assessments will drive the company’s ability to protect, detect and respond to cyber-attacks.

What You'll Do

  • Perform network penetration, web and mobile application testing, source code reviews, threat analysis, wireless network assessments, and social-engineering assessments.
  • Execute controlled assessments, conduct attack/vulnerability research, work to evade detection mechanisms in place and address weaknesses through strategic partnerships around the organization.
  • Utilize techniques that probe and circumvent technical and operational controls to successfully demonstrate a compromise and how acts of deliberate disruption can cause adverse financial loss or bring about appreciable negative impact to Credit Karma and its members, partners and other stakeholders.
  • Evaluate the key frameworks (and their ecosystems) that form the core platform for Credit Karma Engineering, looking for areas where framework improvements could eliminate the potential for vulnerabilities to be introduced.
  • Envision, design and implement core libraries and wrappers which surface key security concerns and automatically address them wherever possible.
  • Support vulnerability remediation by recommending holistic solutions instead of brittle point-fixes.
  • Refactor existing codebase to leverage new security framework capabilities with an eye toward transition from monolithic to service-oriented architecture.
  • Advances application scanning and testing integration with CI/CD pipelines to minimize security defects and improve overall Product quality.
  • Understand and deploy security standards at an organizational scale (e.g. CSP, SRI, etc).

What We Expect

  • Minimum 5 years security experience, both as a builder and breaker in following: Mobile and web application assessments; Network penetration testing and manipulation of network infrastructure; Email, phone, or physical social-engineering assessments; Developing, extending, or modifying exploits, shellcode or exploit tools; Reverse engineering malware, data obfuscators, or ciphers; Cloud security and security architecture, GCP security controls.
  • Technical depth in many, if not most of the following areas: LAMP stack, Node.js, Scala/Java, mobile, PKI, HTTP-based SOA/microservices, encryption, hashing, tokenization, secure randomness, Hardware Security Modules (HSMs), canonicalization, output encoding, message-based security, rate-limiting, anti-automation, role-based access control (RBAC), and large-scale data transport.
  • Working knowledge of all vulnerability classes on the OWASP Periodic Table of Vulnerabilities, with strong conceptualization of designs that make it impossible for developers to introduce those vulnerabilities.
  • Thorough understanding of InfoSec control frameworks and how they can be realistically implemented.
  • Source code review for control flow and security flaws
  • Eagerness to challenge the status quo, balanced with a reasonable and methodical approach to effecting change.