Provide domain expertise and guidelines in cloud security, secure software development, data security, security compliance, and other security best practices.
Support and manage Flip’s incident and vulnerability response, blameless postmortems, and use the insights to come up with improvements in collaboration with other product engineering teams.
Conduct penetration tests, design reviews, threat modeling, threat detection, and other necessary security assessments.
Create and maintain Flip’s security governance documents, policies, and guidelines to ensure compliance with industry security compliance and standards, e.g. PCI DSS, ISO 27001.
Identify product and infrastructure security gaps, provide recommendations to remediate them, and collaborate with product engineering teams to uplift the products security posture.
Review, validate, and manage security vulnerabilities identified from Flip bug bounty program, SAST and DAST tools.
Continuously improve Flip’s software development life cycle adhering to security best practices.
Continuously improve Flip’s overall security posture, manage, and remediate security risks.
Continuously improve Flip’s security standards, tooling, documents, processes, and governance.
Continuously improve Flip’s overall security monitoring and observability solutions.
Advocate security best practices and become a security champion in Flip.
5 years of experience as Security Engineer or similar role.
Experience working on cloud platforms, e.g. GCP, AWS, Alibaba Cloud, etc.
Experience with security principles, secure software development, application security, data security, and cloud security.
Experience designing, developing, operating, and maintaining secure production-grade applications in distributed virtualized/containerized environments.
Experience conducting penetration tests either as a red team or blue team.
Bachelor's degree in Computer Science or equivalent practical experience.
Experience with operating system and database security.
Operating systems: UNIX / Linux. Database: MySQL, PostgreSQL.
Experience with network security and network monitoring solutions. e.g. Suricata, Wazuh, OSSEC, Snort, etc.
Experience with security systems, including anti-virus applications, content filtering, firewalls, authentication systems, intrusion detection, security information and event management (SIEM), security orchestration automation and response (SOAR), data loss prevention.
Experience securing cloud-based workloads, including Kubernetes and containerized workloads, VM workloads, and cloud native workloads.
Experience with OWASP standards and guidelines.
Experience with authentication & access control, security protocols, applied cryptography, e.g. OAuth, SSL/TLS, SSO, encryption, etc.
Experience in cyber attacks and mitigation methods, security incident response and forensics, threat modeling, security vulnerability management.
Experience with industry compliance and security standards, e.g. PCI DSS, ISO 27001, GDPR, NIST, CSA-CCM, SOC 1, SOC 2.
Experience with security frameworks, e.g. MITRE ATT&CK, Cyber Kill Chain, etc.
Additional advantage for having security-related certifications, e.g. CISA, CISM, CISSP.