Security Engineer – Vulnerability Management

Company Overview
Kong Inc., an industry pioneer in cloud-native solutions, empowers businesses worldwide to innovate and excel in managing their API-driven architectures. With numerous awards for innovation and security solutions, our commitment extends beyond technology to cultivating a workplace that celebrates diversity and fosters inclusion. Join us to be part of a company where your work impacts millions and where every team member is instrumental in driving success.
About the Role
As a Security Engineer specializing in Vulnerability Management and Testing, you will be critical in ensuring the security of Kong’s flagship product, the Kong Gateway. This role focuses on identifying, triaging, and closing vulnerabilities while leveraging advanced security engineering to build and update automated testing pipelines. You will bring expertise in automated security testing while remaining hands-on in manual testing and validation processes. Your contributions will directly impact the security of Kong’s products by integrating robust security measures into CI/CD pipelines, conducting in-depth testing, and working closely with development teams to remediate vulnerabilities effectively and efficiently.

What you will do:

• This position will be responsible for Manual Testing and Validation:
• Conduct in-depth manual testing to identify vulnerabilities not covered by automated tools.
• Validate the accuracy of automated findings and ensure comprehensive coverage for critical systems.
• Provide detailed remediation guidance to development teams based on manual findings.

This position will be responsible for performing Comprehensive Testing and Analysis:
• Conduct both automated and manual testing to uncover vulnerabilities:
• Static Analysis: Detect insecure coding patterns during development.
• Tools: GitHub Advanced Security (CodeQL), SonarCloud, Checkmarx CLI.
• Dynamic Application Security Testing (DAST): Identify runtime vulnerabilities such as XSS or SQL Injection.
• Tools: OWASP ZAP CLI Runner, Burp Suite Enterprise Edition.
• Fuzz Testing: Discover unknown vulnerabilities through randomized inputs.
• Tools: ClusterFuzzLite, libFuzzer.
• Dependency Analysis: Identify vulnerabilities in third-party libraries and components.
• Tools: Dependabot, Snyk CLI, OWASP Dependency-Check.
• Environment Simulation and Sandboxing: Test software in isolated environments to simulate real-world attacks.
• Tools: Docker, Minikube, Cuckoo Sandbox.

Vulnerability Triage and Management:
• Identify, prioritize, and track vulnerabilities from multiple sources, including automated tools, penetration testing, and external reports.
• Collaborate with development teams to ensure timely remediation of findings.

Work with Security Engineering to develop Automated Testing Pipelines:
• Design, implement, and maintain automated security testing pipelines using GitHub Actions.
• Integrate security tools into CI/CD workflows to enable continuous testing.
• Enhance pipeline efficiency by automating vulnerability identification, tracking, and validation processes.

Collaboration with Development Teams:
• Act as the primary security liaison for engineering teams, guiding secure coding practices and remediation strategies.
• Review and approve remediation actions to verify closure of identified vulnerabilities.

Process Development and Metrics:
• Establish workflows for vulnerability triage, testing, and closure.
• Develop and monitor metrics to measure the effectiveness and efficiency of vulnerability management processes.

What we look for:

• Expertise in building and managing automated security testing pipelines in CI/CD workflows.
• Strong knowledge of static and dynamic application security testing tools and methodologies.
• Hands-on experience conducting manual security testing, including penetration testing and vulnerability validation.
• Proficiency in programming or scripting languages (e.g., Python, Ruby, Go, or Rust) for building and customising testing tools.
• Experience working with development teams to remediate vulnerabilities and ensure secure software delivery.
• Familiarity with secure coding practices and common vulnerabilities (e.g., OWASP Top 10, CWE/SANS Top 25).
• Knowledge of modern security frameworks such as MITRE ATT&CK and NIST CSF.

Preferred Qualifications:
• Experience with Kubernetes and containerised application security.
• Proven ability to automate complex security testing workflows.
• Published tools or research related to security testing or vulnerability management.

By joining Kong Inc., you will combine your expertise in vulnerability management, security engineering, and hands-on testing to ensure the security and reliability of our leading cloud-native API management platform. If you’re ready to take ownership of testing and remediation processes while driving innovation in secure software development, we’d love to hear from you!