Product Security Engineer

Product Security Engineer (Remote – Work from Anywhere)

Work from anywhere, impact everywhere

Diversity is at the heart of who we are at Xapo Bank. We’re a fully distributed team of over 150 talented people that work remotely from 50+ countries around the world.

We work hard, think globally, and inspire each other to learn and grow. We are committed to changing the way things are done.

To achieve that, we search the world for the best people for the job. This is how we are transforming the world of digital banking.

Our team is worldwide, our capacity for innovation, limitless.

Join our remote team of dreamers and doers as we take Xapo Bank to the next level

Although we are headquartered in Gibraltar, this is a full time, 100% remote position.

Work from anywhere!

Position overview:

Xapo Bank is currently seeking a talented and enthusiastic Product Security Engineer with solid knowledge of DevSecOps to join our dynamic team. As a ProdSec Engineer, you will be at the forefront of ensuring the security, efficiency, and reliability of our groundbreaking and innovative technology solutions. Our cutting-edge products are revolutionising the financial industry, and you will play a pivotal role in safeguarding their integrity.

You will have strategic oversight of our CI/CD pipelines, driving the “shift-left” approach for a seamless developer experience. You will work on automation and develop tools to optimise efficiency and streamline mundane processes. We are seeking a voice that can assist in designing robust security architectures and guide teams in making informed decisions. Your collaboration with business stakeholders to address their specific security requirements will be vital. Additionally, you will conduct threat modelling and proficiently manage a range of state-of-the-art security tools and technologies.

Responsibilities:

• Oversight of our CI/CD pipelines: Collaborate with multiple teams and manage security integration at every stage of our continuous integration and deployment pipelines. We strongly believe in the shift-left approach and our goal is to have a quick and meaningful feedback loop between our tools and the development process – with an aim to improve developer experience.
• Automation & Scripting: Proven experience with automation and scripting, ideally with Python, to reduce manual, repetitive tasks, and improve efficiency and accuracy.
• Security Architecture: Be involved in designing, building and implementing security architectures, demonstrating a deep understanding of various security solutions.
• Business Collaboration: Be comfortable with discussing the business security requirements and escalating relevant risks to be addressed.
• IAM: Be comfortable in reviewing or raising issues with Identity and Access Management (IAM) policies and tools. Nice to have: Experience with OIDC between Github and AWS.
• Threat Modelling: Ability to perform threat modelling activities in the early stages of product development.
• Incident Management: Engage in security incident management investigations, partake annual tabletop exercises, identify/respond, mitigate, and, when needed, implement preventative, remedial actions. Be comfortable in jumping on an investigation (Only when strictly necessary!) to support the team out of hours in case of a security incident.
• Vulnerability Management: Ability to contribute to our vulnerability management program with enhancements/improvements and operate the platform to ensure teams have what they need to address vulnerabilities within SLA.
• Manage Cyber Security Tools: Manage and assist in tuning security tools that enhance operational processes while maintaining security, including but not limited to WAF, SIEM, Endpoint Protection, Bug Bounty Program, CSPM, Asset Inventory.
• Cloud Security (Nice to have): Experience in managing cloud environments, controlling and approving access rights, monitoring compliance, and managing the environment for potential security vulnerabilities. Knowledge of containerization (ie. Docker) and main cloud technologies, primarily AWS but also on GCP, Azure.

Qualifications and experience:

• Solid knowledge of writing and reviewing Infrastructure-as-Code: You should possess a strong understanding of Infrastructure-as-Code (IaC) principles and best practices.
• Relevant Security Certifications: Possessing relevant security certifications will be highly advantageous. Certifications such as AWS Security Specialist and HashiCorp Terraform demonstrate your expertise in implementing robust security measures within cloud environments.
• Proficiency in coding and reviewing code (primarily Python): Your proficiency in coding, particularly in Python, will enable you to contribute effectively to the development of secure and reliable systems.
• Demonstrated creative, critical, and independent thinking capabilities: As a ProdSec Engineer Engineer, you will encounter complex challenges that require innovative solutions. Your ability to think creatively, critically, and independently will be essential in designing and implementing robust security measures.
• Troubleshooting skills: Strong troubleshooting skills are vital to identify and resolve security issues promptly. Your ability to analyze problems, think analytically, and apply effective troubleshooting techniques will be crucial in maintaining the integrity and security of our systems.

Why work for Xapo?

IMPACT GLOBALLY, WORK REMOTELY.

• Shape the Future: Improve lives through cutting-edge technology, work 100% remotely from anywhere in the world.
• Great work-life balance: Build amazing things with a balance of autonomy and collaborative teamwork. Set your own work schedule and make use of a flexible PTO plan when you need to recharge.
• Expect Excellence: Collaborate, learn, and grow with a high-performance team. Learn how you learn best – from books to conferences, you’ll get a yearly budget for your individual learning and development goals.