Senior Security Engineer, Offensive Specialist at Chewy
We're looking for a Senior Security Engineer in our Boston, MA location to join our Research, Architecture, Design, Command (RADCOM) Team. This team helps Chewy through vulnerability discovery, disclosure and mitigation in our products, services, infrastructure, and ecosystem. This person will be responsible for performing attack simulations, adversarial threat modeling, penetration tests, and security reviews for Chewy products and services. You will be responsible for discovering vulnerabilities at Chewy, its products and services and conduct threat modeling exercises on people, processes, and technologies that build up our products and services. You will also design red team exercises in collaboration with other security teams to help improve our security incident response and overall security program.
As a member of our RADCOM Team, you’ll be responsible for ensuring that Chewy’s products, services, and processes are continuously tested and resilient against an attack from threat actors. You’ll be working with the team to focus on the systems, services, and processes that protect Chewy’s most valuable resources, and communicate with internal and external stakeholders as needed.
What You’ll Do:
- Provide an adversarial perspective that productively challenges assumptions and decisions to improve security
- Collaboratively define threat models, scope, and prioritize offensive security engagements.
- Integrate offensive security into security development lifecycle
- Research emerging attack vectors and techniques, including targeting user endpoints, cloud platforms & systems, development infrastructure, system integrations, and everything in between.
- Design and plan offensive exercises based on research into threat actors most relevant to Chewy’s business operations
- Build, modify, and implement tooling and automation to improve the offensive capabilities of the team to meet our evolving objectives and mitigate security threats
- Perform ongoing, proactive analysis of Chewy’s internal and external attack surface
- Participate in blue / purple-team exercises to improve efficacy of internal security programs
- Develop training programs on security-related topics such as threat modeling, user awareness, attack techniques, and mitigation strategies
- Document and effectively contextualize issues with respect to business impact
- Devise pragmatic methods of mitigating security risks
- Coordinate, collaborate, and communicate within the RADCOM Team and with stakeholders in Security, Engineering, and other departments
What You’ll Need:
- Bachelor’s degree in computer science or engineering related field or equivalent work experience
- Minimum of 7 years in a senior IT role
- Minimum of 4 years in a vulnerability analyst, penetration tester or risk analyst role
- Web application security expertise
- Familiarity with static code analysis concepts and tools
- Familiarity with dynamic application testing concepts and tools
- Working knowledge of one or more of the following programming languages
- Hold industry recognized certifications such as: GPEN, GWAPT, GCIA, GCIH, OSCP, GXPN etc.
- Working level knowledge of AWS foundations and well architected framework
- Experience with log analysis tools such as Splunk, Elastic with Kibana etc.
- Experience with shell scripting or automation of simple tasks using BASH, PowerShell, Python, Ruby, Go etc.
- Experience developing, extending, or modifying exploits, shellcode or exploit tools
- Strong knowledge of tools used for web application and network security testing, such as Kali Linux, Metasploit, Burp suite, Core Impact, Cobalt Strike, Nessus, Web Inspect, and Scuba etc.
- Position may require travel
- Experience with agile scrum and/or kanban methodologies
- Experience in ecommerce
- Self motivated with excellent problem solving skills and able to perform job functions with little direct supervision