Security R&D Engineer
Ukraine・Full time・Flexible remote // Researching and breaking software.
The opportunity #
Cossack Labs is looking for a Security R&D engineer, to join our Security team and work with us on building and breaking software. If you are interested in breaking, designing and building security controls, working hand-in-hand with software developers, performing security assessments, this may be the position for you!
We are a data security solutions company, developing software products (open-source and proprietary), as well as providing custom bespoke solutions to innovative development teams around the world. Our mission is to make strong security methodologies and approaches convenient within modern infrastructures and, as the software is eating the world, help it eat the world responsibly, without leaking customer’s data.
Our software is well-known amongst security-aware teams, recommended by OWASP, and popular for easily solving complicated security challenges. Apart from building “off-the-shelf” solutions, we design custom security controls for novel problems.
We work in the B2B space, with customers such as power grid operators, payment processors, legal companies, million-user customer applications. We cater to young ambitious startups and well-established enterprises, who use our software and solutions as core part of their security arsenal. Our customers are smart, but extremely demanding.
Markets: EU, UK, USA.
You will: #
- Participate in the research and development of systems with elevated security demands for us and our customers.
- Research and bypass security controls in firmware and software, perform reverse engineering and analysis of how things work.
- Participate in building (designing, assembling from existing tools and implementing some missing bits) software that provides certain security features. Examples: hardware devices that collect and protect telemetry, and send it to server for secure processing (see case study), or designing and implementing security of specialised IIoT devices that run ML (see case study).
- Research new technologies and emerging security threats (read articles, understand their essence, understand how to apply described ideas) in the industry and their adaptation to the applied security problems.
- Work with security across different stack: mobile and web applications, cloud and on-prem infrastructures, dedicated hardware, vehicles, power plants, hardware security modules, and weirder stuff beyond casual imagination. Dive into application security, infrastructure security, data security, IoT security, ML security with our team of skilled engineers.
- Share your research as conference talks, blogposts, contribute to open source standards like OWASP.
We would expect you to have: #
- Deep understanding how computers work. Preferably from deep hardware level. Understanding how various operating systems work.
- In-depth understanding of how internet works.
- Deep practical skills in building software (programming languages of your choice) or breaking software (tools of your choice).
- Experience in performing security assessment for web and/or mobile apps.
- Experience in popular security tools required for job, or ability to learn them quickly.
As a plus you’d have #
- A certain area of expertise and deep interest: web, mobile, IoT, infrastructure – an area where you have “seen things” and ready to share experience.
- Understanding of real-world automation (ICS) from microcontroller to SCADA system level or interest to attain that.
- Understanding of different communication systems (RF & wired).
- Experience in reverse engineering applications, bypassing TLS pinning, analysing source code. Experience in jailbreaking/rooting your devices. Escaping sandboxes.
- Basic knowledge in cryptography: understanding the differences between symmetric and asymmetric cryptography, hashing, KDF.
- Interest and experience in IoT and smart devices: power issues, lightweight protocols, security communication problems, understanding supply chain attacks, timing attacks, power usage issues.
Please note that you can be a perfect fit even if not everything we’ve outlined above applies to you. If you have any questions, please don’t hesitate to ask – everyone is unique.
We offer: #
Unique area of expertise: #
- Interesting and challenging work in applied security engineering: from building to breaking. Working at the intersection of different areas: designing ML security controls, supporting cryptographic protocols with security controls, protecting hardware, building reverse-resilient mobile apps, securing web apps for million of users, etc.
- Public track record in the open source part of our products, sharing your work as blogs posts, research papers and conference talks. We work with innovative companies all over the world, move quickly and dive into technologies others just hear about.
- Work at the intersection of technologies: cryptography, software engineering, information security. You won’t be bored :)
- A sense of meaning and responsibility for those who seek purpose – we’re building “invisible texture of modern civilization”—bits of infrastructure finance, power grids, healthcare rely on, and we are trusted with very challenging aspects of it.
- Friendly and experienced team: smart people to learn from, great people to build with. Each of us is unique, we value and support each other.
- An atmosphere that motivates you to grow and get smarter every month, a healthy ratio of routine / experimentation.
- Trust: schedule, reporting, bureaucracy is kept at reasonable minimum. We hire smart people and trust them to do the right thing. When things go wrong, we help rather than punish.
- Shared decision making: this business is driven by engineering excellence, so engineers are important part of tactical and strategical business decisions.
- Friendly to humans: not just a formal vacation and sick leave quota. Feel like your mental or physical wellbeing needs care? Take some time off. Feel like working a few days from home? Sure. As long as you’re in line, we are here to support you when you’re not.
- Team that facilitates internal learning and growth all the time.
- Interesting technologies to work with — sometimes, even unique ones (we design applied cryptography schemes and techniques and novel ways to use them).
- Interesting engineering challenges across the board, ability to hop from high-level system design to protocol reverse engineering and clever data modelling hacks.
- Management attention to help you improve upon your personal goals (through regular 1:1s and mentoring).
- Competitive compensation with flexible bonus scheme.
- Sick leaves, 21 vacation days a year, extra days off — according to agreements and laws.
- Conferences, books, courses — we encourage learning and sharing with the community. Our team members share a lot in talks, workshops and blog posts.
Not sure but considering? Talk to us. #
If you see yourself fit but a few things are off — don’t hesitate to talk anyway. It might be that your unique combination of skills and knowledge would be perfectly fitting for our environment, but we both just don’t know it yet.
How to apply?
We'd like to get your CV to start a conversation. A supporting letter explaining your story and experience in application security, what you have done in the past and what kind of work you find interesting would help, but is not necessary.