Senior Offensive Security Specialist, Offensive Security and Vulnerability Management

Focused on developing products and services for the digital assets sector, Bullish has rewired the traditional exchange to benefit asset holders, enable traders and increase market integrity. Supported by the group’s treasury, Bullish’s new breed of exchange combines deep liquidity, automated market making and industry-leading security and compliance to increase the accessibility of digital assets for investors. Bullish exchange is operated by Bullish (GI) Limited and is fully regulated in Gibraltar.

Mission: To make trading with digital assets more rewarding and secure.​

Vision: To be the most innovative, respected, and trusted leader in crypto.

Reports to:

The Bullish Offensive Security and Vulnerability Management (OSVM) team provides Bullish Global with the capabilities to ensure that our products and services are secure and meet the security obligations expected by our customers and regulators. The OSVM team helps to secure all of Bullish Global, which includes the Bullish Exchange, CoinDesk, and CCData. The OSVM team regularly performs manual security assessments and penetration testing across a variety of technologies, source code reviews, vulnerability remediation support, automated security testing, security tool development, and red-teaming. 

We are seeking a Senior Offensive Security Specialist to join our Offensive Security team to help secure Bullish Global. In this exciting role, you will be a key player within an elite security team delivering industry-leading Crypto services. This role will work closely with product and engineering teams to deliver secure software. This work will include delivering a wide range of security capabilities across a modern technology stack. This role will also work closely with developers to diagnose, document, and remediate application security vulnerabilities.

The ideal candidate will be a mix of hacker, programmer and security enthusiast who has a special passion for the unique promise and challenge of a dynamic environment working with a variety of products and teams.

Responsibilities:

• Perform web application penetration testing, source code reviews, and/or network penetration testing.

• Perform mobile and API penetration testing.

• Support project tasks and deadlines for engineering teams spanning multiple time zones.

• Create unique tools to assist in scaling the security program.

• Exploit vulnerabilities found in product systems and clearly communicate complex vulnerabilities to both technical and non-technical staff.

• Create detailed technical reports explaining technical and business risk of the vulnerabilities found to include actionable recommendations/considerations.

• Provide technical leadership/mentorship to the security and engineering teams.

• Writing new tools and automation.

• Reverse engineering.

• Other duties as assigned.

Qualifications:

• 5+ years of relevant experience in cyber security.

• Bachelor’s Degree in Computer Science or related field. 

• Experience in the following areas:

  • Performing senior-level penetration testing and other application security assessment activities.

  • Performing design code reviews.

  • Demonstrating high ethical standards.

  • Applying offensive security methodologies.

• Familiarity with attack tools such as Burp Suite, Nessus, Kali Linux and similar tools.

• Exposure to and understanding of various security assessment activities including:

  • Mobile application assessments (iOS and Android).

  • Web Services API assessments (examples: REST, GraphQL and Message Queues).

  • Hardware/embedded systems.

• Basic proficiency in multiple mainstream programming language such as C/C++, Java, JavaScript, Python, or Go.

• Ability to effectively assess risks and severity and communicate vulnerability impact to management and engineering teams. 

• Proficiency with basic Linux systems privilege and permission models, admin and operational concepts, and basic scripting.

• Possess a restlessness and desire to break and break and break into things.

• Knowledge of common attacks and vulnerabilities including OWASP Top 10 and SANS CWE 25.

• Strong self-starter who has the ability to operate independently.

• Solid understanding of network and protocol basics including IP, DNS, HTTP and SSL/TLS.

• Familiarity with basic cryptographic concepts including PKI, cryptographic algorithms, application of cryptography for encryption at rest and in motion.

• Developed communications skills with ability to deliver concepts effectively to non-technical audience including senior leadership; proficiency in preparation of presentations, analytical reports, and documents regarding program operational status, achievement and performance. 

• Understanding of and experience with:

  • The practice of software development across a larger organization.

  • Understanding of Agile fundamentals.

  • Understanding of Continuous Integration/Testing/Delivery tools and techniques. 

  • Familiarity with scanning and intelligence tools, including Vulnerability Management, SAST, DAST, OSA, and API traceability 

• Experience with public cloud concepts, architectures and tools (AWS, Azure and/or GCP).

• Application Security and Penetration Testing certifications such as OSCP, OSCE, OSWE and CEH.

• Other Information and Cyber Security certifications including CISSP, CISM, CompTIA Security+ and GSEC.

• Experience and history of external communications including papers and conference presentations.

Bullish is proud to be an equal opportunity employer. We are fast evolving and striving towards being a globally-diverse community. With integrity at our core, our success is driven by a talented team of individuals and the different perspectives they are encouraged to bring to work every day.