We are looking for a skilled and adept Senior Researcher to join our Cybersecurity team in Hong Kong.
Block.one is a software publisher specializing in high performance blockchain technologies. Its first project, EOSIO, an open-source blockchain protocol designed to enable secure data transfer and high-performance decentralized applications, has received global recognition as the first performant blockchain platform, following its introduction in May 2018.
Through its affiliate, Block.one Hong Kong provides software development and consultancy services through its office in Central, Hong Kong. We are continuing to look for global and local talent to join us in Hong Kong to offer creative solutions based on the latest technological innovations and trends.
Responsibilities & Qualifications:
- Work as a key security researcher within an elite engineering team delivering industry-leading blockchain protocols and applications
- Perform web application penetration testing, source code reviews, and/or network penetration testing.
- Support project tasks and deadlines for engineering teams spanning multiple timezones.
- Create unique tools to assist in research project goals.
- Exploit vulnerabilities found in product systems; and clearly communicate complex vulnerabilities to both technical and non-technical staff.
- Create detailed technical reports explaining technical and business risk of the vulnerabilities found to include actionable recommendations/considerations.
- Participate in project conference calls with internal engineering stakeholders
- Provide technical leadership/mentorship to the security and engineering teams.
- Contribute to the security industry through presentations, blog posts, white papers, responsible disclosure, and/or research.
- Participate in and help lead the broader secure software community at Block.one via the Application Security (AppSec) Guild.
- Other duties as assigned.
A combination of formal education and experience in the following areas:
- Performing senior-level penetration testing and other application security assessment activities.
- Performing design code reviews
- Demonstrating high ethical standards
- Developing and/or delivering training in secure application development practices
- Applying offensive security methodologies
Education and Industry Experience
- Bachelor's degree and 5+ years of experience or an advanced degree and 3+ years experience in a relevant field to cyber security, or equivalent experience.
- Relevant experience could be a traditional Computer Science background with formal or avocational focus on security tools and techniques, a formal degree or certificate cyber security program, direct experience in a cyber security role such as security architect or pen-tester or equivalent experience. Non-traditional backgrounds are also welcome provided you can demonstrate the requisite skills and knowledge through both direct assessment and documentation of experience.
Required Skills and Knowledge
We are looking for a team member with skills and knowledge meeting most of the following topics. Every individual is different and we understand people will be strong in some areas and be not as strong in some areas. In particular we understand an entry level candidate will have limited exposure to some areas of security practice and software engineering. We seek a candidate with strong technical skills in a variety of areas. As a senior candidate you will have some experience in most or all of these areas and will consider yourself an expert in at least a few of them. This includes:
- Familiarity with attack tools such as Metasploit, Burp Suite, Fuzzing, Gauntlt, Kali Linux and similar tools.
- Exposure to and understanding of various security assessment activities including:
- Mobile application assessments (iOS and Android)
- Web Services API assessments (examples: REST, GraphQL and Message Queues)
- Hardware/embedded systems
- Hardware/Embedded system hacking
- Reverse Engineering
- Proficiency with basic Linux systems privilege and permission models, admin and operational concepts, and basic scripting.
- Possess a restlessness and desire to break and break and break into things.
- Knowledge of common attacks and vulnerabilities including OWASP Top 10 and SANS CWE 25.
- Strong self-starter who has the ability to operate independently.
- Solid understanding of network and protocol basics including IP, DNS, HTTP and SSL/TLS.
- Familiarity with basic cryptographic concepts including PKI, cryptographic algorithms, application of cryptography for encryption at rest and in motion
- Developed communications skills with ability to deliver concepts effectively to non-technical audience including senior leadership; proficiency in preparation of presentations, analytical reports, and documents regarding program operational status, achievement and performance. This includes a requirement for a high proficiency in written and spoken English.
As a senior and well rounded individual may you will have additional skills and experience. These will include at least some of:
Understanding of and experience with:
- The practice of software development across a larger organisation.
- Understanding of Agile fundamentals like Test Driven Development, backlogs and user Stories
- Understanding of Continuous Integration/Testing/Delivery tools and techniques.
- Familiarity with scanning and intelligence tools such as Qualys, Tenable/Nessus, jFrog xRay and Black Duck.
- Familiarity with reverse engineering malware.
- A passion for agile development methodologies including TDD/XP/Scrum/Kanban
- Experience with public cloud concepts, architectures and tools (AWS, Azure and/or GCP).
- Application Security and Penetration Testing certifications such as OSCP, OSCE, OSWE and CEH.
- Other Information and Cyber Security certifications including CISSP, CISM, CompTIA Security+ and GSEC.
- Experience and history of external communications including papers and conference presentations. * B.S. - Computer and Information Science