Robinhood is hiring a Remote Senior Penetration Tester Web Applications
About the team:\n\nRobinhood is looking for a Senior Penetration Tester who is passionate about breaking and fixing applications, services and processes to join the Robinhood Pentest Team.\n\nThe pentest team is part of the larger Offensive Security team and is a core pillar of Security & Privacy Engineering. The pentest team will work with teams across Robinhood to ensure our products, services, and processes are secure through threat modeling, automated & manual penetration testing, and tracking remediations of identified vulnerabilities.\n\nHere are some examples of things our team does frequently that youโll be heavily involved with:\n\n\nPerform threat modeling against critical and new services. Articulate the actual security risk to Risk working groups.\n\nValidation of critical/high vulnerabilities surfaced via vulnerability automation tooling.\n\nPerform application assessments, internal and external penetration testing focusing not just on network and application level vulnerabilities but fully understanding what risk to Robinhood the vulnerabilities pose especially as they relate to business logic and fraud opportunities.\n\nTriage Bug Bounty reports and interact with Bug Bounty Researchers\n\nConduct vulnerability research to understand latest TTPs and exploits.\n\nConduct vulnerability research into futures technologies robinhood may deploy \n\nFixing issues and leaving things better than they found them and not just finding broken things.\n\n\n\n\n \nWhat youโll do day-to-day:\n\n\nPerform application security penetration tests to include source code reviews (Golang/Python). This will be your primary role.\n\nTriage Bug Bounty reports as part of the Bug Bounty on call rotation.\n\nPerform threat modeling against critical and new services. Articulate the actual security risk to risk working groups\n\nUse, configure, and write automation to identify and validate vulnerabilities surfaced via vulnerability automation tooling\n\nPerform internal and external penetration, code reviews, and design/architecture reviews testing focusing not just on network and application level vulnerabilities but fully understanding and articulating what risk to Robinhood the vulnerabilities pose especially as they relate to business logic and fraud.\n\nWork closely with development teams to mitigate or remediate security vulnerabilities preferably by submitting Pull Requests (PRs) with the code to remediate the identified vulnerabilities\n\nBuild or suggest detection and monitoring for attacks on the application or infrastructure\n\nConduct vulnerability research to understand latest TTPs and exploits\n\nConduct vulnerability research into future technologies Robinhood may deploy \n\nPublish blog posts and present talks at security conferences\n\nBe a technical advocate for privacy and security decisions, designs, and discussions\n\nMake recommendations for organization-wide system improvements, optimization and/or maintenance efforts and engages with stakeholders to remediate vulnerabilities and risks when required\n\n\n\nAbout you:\n\n\n3-5+ years of experience as a Penetration Tester, Security Researcher, or Security Engineer\n\nCan perform source code review of Golang and Python\n\nStrong foundation in computer and network security, authentication, security protocols and applied cryptography\n\nExperience in web app security, vulnerability research, and penetration testing\n\nKnowledge of network-based and system-level attacks and mitigation methods\n\nFamiliarity with at least some of the following: Python, Go, bash\n\nFamiliarity with log formats and intrusion detection systems for Linux based systems\n\nFamiliarity with common network protocols and standards such as DNS and TCP/IP\n\nExperience with attacking cloud based environments, software development technologies, devops tooling, and web applications\n\nFamiliarity and experience with AWS, GCP and other cloud providers and best practices for securing cloud infrastructure\n\nExperience with containers and container orchestration systems such as Docker and Kubernetes. \n\nAbility to research and execute a testing plan to assess a new technology or process\n\nExcellent written and verbal communication skills and ability to communicate your findings at both high and technical levels\n\nDemonstrated experience performing penetration testing on a remote team\n\nProficiency to communicate over a text-based medium (Slack, JIRA Issues, GitHub issues, & Email) and can succinctly document technical details\n\n\n\n\n \nBonus points:\n\n\nExperience in the Financial Technology domain\n\nPassion and demonstrated experience for challenging security assumptions\n\nPassion for fixing security issues and not just identifying security issues\n\n\n\n\nCO Residents: In Colorado, the base pay for this position ranges from $169000 to $224000. This role is also eligible for an annual discretionary bonus and participation in Robinhoodโs equity plan. \n\n#Salary and compensation\n
No salary data published by company so we estimated salary based on similar jobs related to Design, Senior, Marketing, Sales, Digital Nomad, Amazon, Consulting, DevOps, Cloud, Jira, Docker, Testing, Golang and Linux jobs that are similar:\n\n
$62,500 — $120,000/year\n
\n\n#Benefits\n
๐ฐ 401(k)\n\n๐ Distributed team\n\nโฐ Async\n\n๐ค Vision insurance\n\n๐ฆท Dental insurance\n\n๐ Medical insurance\n\n๐ Unlimited vacation\n\n๐ Paid time off\n\n๐ 4 day workweek\n\n๐ฐ 401k matching\n\n๐ Company retreats\n\n๐ฌ Coworking budget\n\n๐ Learning budget\n\n๐ช Free gym membership\n\n๐ง Mental wellness budget\n\n๐ฅ Home office budget\n\n๐ฅง Pay in crypto\n\n๐ฅธ Pseudonymous\n\n๐ฐ Profit sharing\n\n๐ฐ Equity compensation\n\nโฌ๏ธ No whiteboard interview\n\n๐ No monitoring system\n\n๐ซ No politics at work\n\n๐ We hire old (and young)\n\n
\n\n#Location\nSan Francisco, California, United States
๐ Please reference you found the job on Remote OK, this helps us get more companies to post here, thanks!
When applying for jobs, you should NEVER have to pay to apply. You should also NEVER have to pay to buy equipment which they then pay you back for later. Also never pay for trainings you have to do. Those are scams! NEVER PAY FOR ANYTHING! Posts that link to pages with "how to work online" are also scams. Don't use them or pay for them. Also always verify you're actually talking to the company in the job post and not an imposter. A good idea is to check the domain name for the site/email and see if it's the actual company's main domain name. Scams in remote work are rampant, be careful! Read more to avoid scams. When clicking on the button to apply above, you will leave Remote OK and go to the job application page for that company outside this site. Remote OK accepts no liability or responsibility as a consequence of any reliance upon information on there (external sites) or here.