\nAs a Principal Application Security Engineer at Vimeo, you will engage in a variety of activities, either offensive, defensive, or some combination thereof, ultimately aimed at safeguarding our users who entrust Vimeo with their content every day.\n\nYou’ll plan, carry out, and lead security initiatives to monitor and protect sensitive data and systems from infiltration and cyber-attacks.\n\nYou will likely collaborate frequently with and support developers, as well as members of the infrastructure security team, the compliance team, IT, Product, and other teams throughout the organization.\n\nYou love to solve puzzles, and are a great team player.\n\nThis role is remote. The role requires three hours of overlap with the US Eastern time zone (i.e., New York City) daily.\n\nWhat you’ll do:\n\nDepending on your preferences and the current needs of the team, you may either focus on just one or two of the following areas, or you may choose to become involved with many of them.\n\n\n* Security architecture — create a technical plan for partitioning and consolidating our cookies; draft up a sequence diagram for a new middleware to prevent IDOR attacks; implement a POC for leveraging CAPTCHA challenges in cross-origin embedded iframes; draft some code to modify the expiration behavior of our JWTs then pair with our API team to get feedback\n\n* Penetration testing — either hunt for security issues on our production or staged applications during an open-box internal pen test, or help coordinate an engagement with an external firm\n\n* Writing code for internal automated security tools — write some code, usually in Python, Bash, or Go, to support any of our team's various initiatives. Often we strive to facilitate a culture of “paved roads” for our developers, such that it is easy for any developer to incorporate security into their designs and implementations\n\n* Threat modeling — consider how malicious attackers may compromise our systems, and advise developers and product managers on what defenses are needed\n\n* Code reviews — discover weakness in our source code before it reaches production\n\n* Bug bounty program — help triage new incoming reports on a daily basis, plus launch creative initiatives to increase researcher engagement on our programs\n\n* Web Application Firewall and Rate Limiting — expand coverage and tune new rules while coordinating with developers, support team members, and the site reliability team\n\n* Remediation — enable and encourage developers to correctly fix recently discovered security issues in a timely manner, ultimately reducing our Mean Time To Remediate\n\n* Secure Software Development Lifecycle — configure automated tooling (eg. static and dynamic code analysis,, IAST) in our SDLC to detect security issues in our source code before it reaches production\n\n* Developer Education, Security Culture — create fun ways to spread technical security awareness throughout the engineering department\n\n* Incident response — lead or assist in running the various phases of an incident response, including initial detection, triage, containment, recovery, root cause analysis, retrospective, etc.\n\n* Collaboration with the infrastructure security team — pair with members of the infrastructure security team on various projects to secure our cloud instances and employee workstations\n\n* Collaboration with the compliance and privacy team — help ensure that our company complies with industry best practices and standards\n\n* Process improvements — help strengthen our own internal processes and procedures\n\n* A typical day will look like:\n\n\n\n* Engage with one or more product development teams and guide them through a threat model and data flow analysis.\n\n* Review the code for major new functionality to ensure security best practices are followed.  \n\n* Review new tickets in our bug bounty program (http://hackerone.com/vimeo) and use your system design and threat modeling knowledge to reproduce, define risk and mitigating controls and propose a fix., \n\n* A call or two with Development, Product Management teams to discuss security-related issues\n\n* Pen test a new feature in a staging environment with Burp Pro\n\n* Assist the compliance team on a privacy-related project\n\n* Provide technical advice in response to occasional questions from developers and other members of the security team\n\n\n\n\n\n\nSkills and knowledge you should possess:\n\n\n* Required: 5+ years of prior experience in either software development, devops, or site reliability engineering with hands-on coding experience.\n\n* Preferred: prior experience in Application Security\n\n* 7+ total years of relevant experience in Engineering, Application Security, or a similar technical field.\n\n* Strong knowledge of modern web, mobile, and network security\n\n* Strong programming skills with at least one of the following languages, and the ability to read all of them: Python, Go, PHP, Javascript, and Ruby\n\n* Expertise with application pen testing, using tools like Burp or Zap\n\n* Confident working in and across cloud environments like AWS and GCP. Detailed knowledge of at least one cloud environment.\n\n* Confident with shell scripting\n\n* Confident with common SDLC components, like git, Jira, Jenkins, etc\n\n* Confident ability to communicate technical security concepts to developers\n\n* At least an upper-intermediate level of English\n\n\n\n\nBonus points:\n\n\n* Link to a Github repo with security tools/scripts you’ve developed or help maintain\n\n* Full-stack web development experience creating RESTful applications (in any language) is a big plus\n\n* Open source vulnerability research or blog posts is a big plusS\n\n* Experience with system security hardening guidelines and SDLC principles\n\n\n \n\n#Salary and compensation\n No salary data published by company so we estimated salary based on similar jobs related to Design, Cloud, API and Engineer jobs that are similar:\n\n $62,500 — $105,000/year\n
\n\n#Benefits\n 💰 401(k)\n\n🌎 Distributed team\n\n⏰ Async\n\n🤓 Vision insurance\n\n🦷 Dental insurance\n\n🚑 Medical insurance\n\n🏖 Unlimited vacation\n\n🏖 Paid time off\n\n📆 4 day workweek\n\n💰 401k matching\n\n🏔 Company retreats\n\n🏬 Coworking budget\n\n📚 Learning budget\n\n💪 Free gym membership\n\n🧘 Mental wellness budget\n\n🖥 Home office budget\n\n🥧 Pay in crypto\n\n🥸 Pseudonymous\n\n💰 Profit sharing\n\n💰 Equity compensation\n\n⬜️ No whiteboard interview\n\n👀 No monitoring system\n\n🚫 No politics at work\n\n🎅 We hire old (and young)\n\n
\n\n#Location\nTel Aviv, Tel Aviv District, Israel

IMPORTANT:\n \n1. This job is to work for a US company. An advanced level of English is a non-negotiable requirement. Please refrain from applying if this is not your case.\n \n2. This job is remote but if you’re not located in the region mentioned in the post’s title, do not continue. Your application won’t be reviewed. Please apply to the job posting for your country/region of residence.\nIf you’re in Brazil, Bahamas, Barbados, Bolivia, Cuba, El Salvador, Haiti, Jamaica, Nicaragua, Panama, Suriname, Trinidad, and Tobago, or Venezuela, we’re sorry but we can’t consider your application at this moment. #LI-Remote\n \n3. To be considered for this position, resumes must be sent in English\n\nInterviewing for a new company is a serious time commitment for all parties involved. Please take the time to read this and thoughtfully consider if we would be a good fit for one another.  No contractors or agencies. Seriously.\n\nAbout Very\n\nVery has been a remote-first company since 2011 which has allowed us to develop an amazing remote working experience and to have a remote office culture that exceeds that of any traditional on-site office.\n\nWe’ve built a collaborative, tight-knit team that thrives, whether we’re hanging out in person at our annual retreat or coordinating work across time zones. The results show that we’re doing something right. In 2020, we were named one of Inc’s Best Workplaces, Parity.org's Best Companies for Women to Advance List, and Fatherly’s Best Places to Work for Dads.\n\nAt Very we are focused on delivering world-class IoT hardware, software, and smart product engineering services to our clients. We have a wide array of clients from enterprise-level clients such as Vizio, Clear and iHeart Radio to small greenfield start-ups. Whatever size company our goal remains the same - Deliver world-class IoT services and solutions and truly partner with our clients to ensure overall product success.\n\n\nAbout this Role\n\nVery is looking to hire an experienced software engineer specializing in native mobile development to work across a wide variety of projects and technology stacks.\n\nAs a Lead Software Engineer, you will be responsible for delivering high-quality, scalable and well tested code. At Very, teaching and learning is at the core of what we do. Whether through pair programming, workshops, conferences or other cross project collaboration we expect every engineer to continue advancing and developing their skills.\n\nResponsibilities:\n- Execute end-to-end software development and deployment in an agile environment\n- Provide technical guidance to other team members\n- Influence work of multiple teams relating to overall engineering group objectives \n- Drive continuous process and technology improvements\n- Lead production monitoring and resolution impacts\n- Own and operate large sections of software and systems\n- Partner with Product to spec out the technical aspects of a feature from inception through delivery\n- Guide software design and delivery through influence and education\n- Write acceptance, integration and unit tests\n- Coach and mentor other engineers\n- Conduct architecture discussions when necessary\n- Participate in recruiting of candidates and improvement of the overall interview process\n- Support sales and pre-sales engineering work to ensure Very Client fit\n\nAt Very we do not have just one technology stack as we work on interesting problems, not specific technologies. However, we do have some preferred stacks and proficiency in two of them is required:\n\nBackend Web / Embedded Technologies\nElixir: Phoenix / Nerves\nPython: Django / Flask / Serverless / Scientific Python\nRuby: Rails\nJavaScript: NodeJS Backends\nKotlin/Java: Web Backends\nC/C++: Zephyr RTOS / BareMetal\n\nFrontend Web / Mobile Technologies\nTypeScript: React / React Native\nSwift/Objective C: iOS Native\nKotlin/Java: Android Native\n\nWe value well-tested, reusable code and expect our engineers to be as good of practitioners as they are leaders and teachers.\n\n\nWhat You’ll Be Working On\n\nWe take customer success extremely seriously here at Very. As a senior engineer, you will be partnering with our clients to bring their products to market. You will be utilizing one or more of the above mentioned technology stacks coupled with a cloud provider to deliver an end-to-end solution for our customers. \n\nEach project is slightly different and can contain any combination of hardware, firmware, web / mobile frontend as well as an API backend/cloud architecture. We follow best practices such as Infrastructure as Code, well thought out and designed CI/CD pipelines, TDD, and other testing best practices, and always keep an eye on scalability. \n\nWe remain as agile as possible working on delivering a vertical slice of all involved layers as early as possible so we can iterate and demonstrate progress. Your role on a project will be focused on your area of expertise coupled with your learning goals.\n\n\nQualifications\n\nRequired\nUnfortunately, applicants who do not meet these criteria will not be considered.\n\n* Lead-level Software Engineering experience: Can guide a team to successful outcomes by architecting overall solutions, ensuring that work across the team meets a high standard, and helping the team focus on efficient solutions to business problems.  Their quality of work and overall approach to problem-solving means that review of their work is mostly for the sake of discussion/clarity, rather than to ensure quality. \n* Lead-level native mobile engineering experience: Has developed from ent-to-end and published multiple Android and/or iOS apps\n* Strong communication skills with the ability to understand and explain technical issues to a non-technical audience\n* Strong experience with Android App and SDK development experience with Java and Kotlin\n* Experience delivering and supporting  Android applications\n* Solid understanding of the full mobile development life cycle required\n* Good understanding of cross-platform app development\n* Experience with using RESTful Web Services with applications\n* Experience building web and API services, using remote data via REST and JSON\n* Experience in object orientated design and programming, design patterns, and related frameworks\n* Demonstrated expertise in continuous integration/delivery/deployment\n\nNice-to-haves\n* Experience with Docker and Kubernetes\n* Cloud development experience with AWS\n\nContract\n\nYour contract with Very will be as an independent contractor for an indefinite period.\nThis type of contract carries some additional responsibilities for you - you'll have to save some money to take care of taxes and you'll have to pay for public social security (Health and Pension) out of pocket.\n \nThat being said, we're confident that our competitive compensation and benefits package (see below) will still mean that you are happy with your take-home amount at the end of each month. For more information about Very and the contract type, see here.\n\nHow You’ll Be Compensated\n\nBase compensation\nDepending on your skill and experience, you can expect a monthly salary between USD $7,900 and $11,100 upon joining the company.  We also offer performance bonuses, a generous maternity/paternity leave policy, and numerous other employee benefits (including eliminating the stress and cost of commuting each day)\n\nWe also offer world-class perks:\n-$1,000 annual Healthcare Stipend (to be used towards Health insurance premium)\n-Paid Parental Leave\n-Continuing Education Stipend - After 1 year of Employment  ($3000/ year for learning and 100% of the costs if you’re speaking at an event)\n- Home Office Stipend ($1000 per year for your workstation / office)\n- $125/mo Monthly Communications Stipend (Can be used towards Cell Phone Data Plan, WiFi Plan, VOIP, VPN)\n- PTO / Sick Time\n- Variable Compensation based upon performance\n- MacBook Pro (Provided)\n- Personalized ESL coaching and access to an AI-powered adaptive platform to take your English to the next level\n\nAdditional Perks (could vary)\n- Paid trip to somewhere in the World for the annual global company retreat.\n\n \n\n#Salary and compensation\n No salary data published by company so we estimated salary based on similar jobs related to Ads, Mobile, Excel, Non Tech, Salesforce, API, Senior, Sales, SaaS, Engineer, Analyst, Microsoft, Marketing, Travel, Director, Cloud, Software, Ecommerce, Teaching, Video, Education, Python, Legal, JavaScript, Amazon, Junior, Stats, HR, Finance, React, Java, Serverless and Android jobs that are similar:\n\n $70,000 — $110,000/year\n
\n\n#Benefits\n 💰 401(k)\n\n🌎 Distributed team\n\n⏰ Async\n\n🤓 Vision insurance\n\n🦷 Dental insurance\n\n🚑 Medical insurance\n\n🏖 Unlimited vacation\n\n🏖 Paid time off\n\n📆 4 day workweek\n\n💰 401k matching\n\n🏔 Company retreats\n\n🏬 Coworking budget\n\n📚 Learning budget\n\n💪 Free gym membership\n\n🧘 Mental wellness budget\n\n🖥 Home office budget\n\n🥧 Pay in crypto\n\n🥸 Pseudonymous\n\n💰 Profit sharing\n\n💰 Equity compensation\n\n⬜️ No whiteboard interview\n\n👀 No monitoring system\n\n🚫 No politics at work\n\n🎅 We hire old (and young)\n\n
\n\n#Location\nLatin America