Application Security Engineer

at  CryptoKitties Canada

We’re looking for an Application Security Engineer to help secure our product services, APIs, websites, and client applications. You will be responsible for analyzing the security of applications and services, discovering vulnerabilities and guiding remediation.
The ideal candidate has experience with web application security testing, dynamic and static web app code analysis, security design review of epics and product feature areas, product security incident response and API management security.

A LITTLE ABOUT US:

Dapper Labs is the company behind CryptoKitties. Formed in February 2018, Dapper Labs was spun out of Axiom Zen to spread the benefits of decentralization through the power of play, fairness, and true ownership. Notable investors in Dapper Labs include Andreessen Horowitz, Union Square Ventures, Venrock, Google Ventures, Samsung, and the founders of Dreamworks, Reddit, Coinbase, Zynga, and AngelList, among others. CryptoKitties is the world’s most popular blockchain application outside of cryptocurrency exchanges.
Dapper team members are humble and curious entrepreneurs, builders, and tinkerers who share a passion to demystify blockchain technology and tap its potential to create change in the world. Our people are our greatest strength: our diverse crew flourishes in a distributed hierarchy where personal autonomy and professional growth are encouraged. We value our culture above else: regardless of where you came from, what you studied, or who you used to work for, your role here will necessitate both a high level of creativity and strategic thinking on complex issues. Everyone here is a founder, and no one fits in a box. We’re all driven by an insatiable thirst for learning and development, and that’s what brings us together.

What we’ll accomplish together:

• Evaluate and implement security tools for static and dynamic security testing (e.g., Rapid7 AppSpider, PortSwigger, Veracode, etc.).
• Testing web application security: SAML, JWTs, SQL / NoSQL injection, application security model, and logic flaws.
• Review vulnerabilities in 3rd party libraries with tools like Snyk and work with product team on remediation planning.
• Help integrate security QA testing into build pipelines.
• Work closely with SRE and development/engineering teams to validate implementations with security tools and consult on remediation of identified security flaws in products and infrastructure.
• Work with SRE to implement resilient API management security.
• Help train and mentor engineering team members on security concepts.

A little about you:

• Strong experience with security testing modern RESTful APIs and web application servers.
• Very good understanding of trust models like OAuth, SAML, and how to attack them.
• Experience with IaaS / Cloud platforms like AWS, Azure, or GCP.
• Experience working directly with developers to design new - and fix existing - applications.
• Experience with containerization, Kubernetes, and microservices architectures.
• Experience with data flows and threat modeling web applications.
• Understanding of mobile client application security principles.
• Chrome extension security concepts.
• Past experience at a software company in a role involving product security.
• Past experience working in or with product security teams.
• Experience working in Agile projects as part of a reasonably large team.
• Significant web application security experience using tools to test RESTful architectures.
• Significant with cloud environments like AWS/GCP/Azure.
• CI/CD pipeline security experience.

The opportunity:

• Be part of a whole new discipline of security tools and processes.
• Impact - help craft the direction of security for the entire company.
• Lack of bureaucracy - your opinion will count and you will have the ability to get things done quickly.
• Projected growth - the team is fast growing, you will never be bored as we play with new technologies and product spaces.
• We’re always working with new and cool tech stacks.
• Working with big clients.
• Growth opportunity: the security team plays an increasingly important role, and is exposed to a variety of new technologies over time.
• Be a part of something big: you’ll always understand the big picture and what we’re ultimately trying to achieve because of a transparent leadership team.

Bonus points for:

• Understanding of blockchain tech.
• SaaS model secure lifecycle management.
• Mobile dev experience: static analysis, dynamic testing, best practices for iOS and Android.
• Browser extension security and testing.

A LITTLE MORE ABOUT US:

At Dapper Labs we recruit the best and foster an environment that empowers our team. That means a workplace that is diverse, inclusive, and open-minded. We welcome applicants of all backgrounds, regardless of race, colour, religion, sexual orientation, gender identity, national origin, or disability.
We offer compensation commensurate with the high level of talent we seek, diverse opportunities for learning and development, extensive benefits, and flexible time off policy.