Security Engineer, Vulnerability Management & Testing - Secure the World's Connections!
Ready to make a real impact on the security of a widely used platform? At Kong, we're empowering organizations around the globe to connect and innovate through our leading API management solutions. We're looking for a passionate Security Engineer to join our team and play a crucial role in securing Kong Insomnia, our popular API client.
In this role, you'll be on the front lines of vulnerability management, using both automated and manual techniques to identify, triage, and remediate security weaknesses. You'll be a key player in building and maintaining our automated testing pipelines, ensuring the security of our platform from development to deployment. If you're a hands-on security professional with a knack for problem-solving and a passion for secure coding, this is the opportunity for you.
What You'll Do:
Comprehensive Security Testing and Analysis: Become a master of offensive security by conducting static analysis, dynamic application security testing (DAST), fuzz testing, and dependency analysis. You'll also simulate real-world attacks in isolated environments. Specific tasks include:
Static Analysis: Detect insecure coding patterns during development.
Tools: GitHub Advanced Security (CodeQL), SonarCloud, Checkmarx CLI.
Dynamic Application Security Testing (DAST): Identify runtime vulnerabilities such as XSS or SQL Injection.
Tools: OWASP ZAP CLI Runner, Burp Suite.
Fuzz Testing: Discover unknown vulnerabilities through randomized inputs.
Tools: ClusterFuzzLite, libFuzzer.
Dependency Analysis: Identify vulnerabilities in third-party libraries and components.
Tools: Dependabot, Snyk CLI, OWASP Dependency-Check.
Environment Simulation and Sandboxing: Test software in isolated environments to simulate real-world attacks.
Tools: Docker, Minikube, Cuckoo Sandbox.
Vulnerability Triage and Management: Identify, prioritize, and track vulnerabilities from multiple sources, including automated tools, penetration testing, and external reports. Collaborate with development teams to ensure timely remediation of findings.
Manual Testing and Validation: Dive deep into manual testing to uncover vulnerabilities that automated tools might miss. Validate automated findings and provide detailed remediation guidance to development teams based on your expert analysis.
Automated Testing Pipeline Development: Design, implement, and maintain automated security testing pipelines using GitHub Actions. Integrate security tools into CI/CD workflows to enable continuous testing. Enhance pipeline efficiency by automating vulnerability identification, tracking, and validation processes.
Collaboration with Development Teams: Act as the primary security liaison for engineering teams, guiding secure coding practices and remediation strategies. Review and approve remediation actions to verify closure of identified vulnerabilities.
Process Development and Metrics: Establish workflows for vulnerability triage, testing, and closure. Develop and monitor metrics to measure the effectiveness and efficiency of vulnerability management processes.
What You'll Bring:
We're looking for candidates with a strong foundation in cybersecurity and a desire to learn and grow. Ideally, you'll have experience with:
Hands-on experience performing binary analysis to identify vulnerabilities and security weaknesses.
Direct experience using debuggers (e.g., GDB, WinDbg) to analyze binaries and investigate potential security flaws.
Expertise in building and managing automated security testing pipelines in CI/CD workflows.
Strong knowledge of static and dynamic application security testing tools and methodologies.
Hands-on experience conducting manual security testing, including penetration testing and vulnerability validation.
Proficiency in typescript/javascript
Experience working with development teams to remediate vulnerabilities and ensure secure software delivery.
Familiarity with secure coding practices and common vulnerabilities (e.g., OWASP Top 10, CWE/SANS Top 25).
Knowledge of modern security frameworks such as MITRE ATT&CK and NIST CSF.
Bonus Points:
Experience with desktop applications.
Proven ability to automate complex security testing workflows.
Published tools or research related to security testing or vulnerability management.
You're the Right Fit If You're:
Proactive and detail-oriented, with a strong drive for delivering secure solutions.
An effective communicator who can articulate security issues and remediation strategies to technical and non-technical audiences.
Collaborative and adaptable, thriving in fast-paced and cross-functional environments.
Exciting Projects on the Horizon:
You'll be involved in key initiatives like:
Automated Testing Pipeline Development: Designing and implementing automated security testing workflows in GitHub Actions.
Vulnerability Lifecycle Management: Establishing comprehensive frameworks for tracking and closing vulnerabilities.
Hands-On Security Testing: Conducting manual penetration tests and validating automated findings.
Collaboration with Development Teams: Partnering with engineering teams to remediate vulnerabilities and improve secure development practices.
Continuous Improvement of Testing Tools: Regularly evaluating and integrating cutting-edge tools and methodologies into testing pipelines.
If you're ready to take ownership of testing and remediation processes while driving innovation in secure software development, we encourage you to apply! Even if you don't meet every single requirement, we're looking for passionate individuals with a strong foundation and a desire to learn.
#LI-SV1
About Kong:
Kong Inc. is a leading developer of cloud API technologies, enabling companies around the world to become “API-first” and securely accelerate AI adoption. Kong helps organizations globally — from startups to Fortune 500 enterprises — unleash developer productivity, build securely, and accelerate time to market. For more information about Kong, please visit www.konghq.com or follow us on X @thekonginc.