Senior Offensive Security Specialist

About Bullish

Bullish is an institutionally focused global digital asset platform that provides market infrastructure and information services. These include: Bullish Exchange – a regulated and institutionally focused digital assets spot and derivatives exchange, integrating a high-performance central limit order book matching engine with automated market making to provide deep and predictable liquidity. Bullish Exchange is regulated in Germany, Hong Kong, and Gibraltar. CoinDesk Indices – a collection of tradable proprietary and single-asset benchmarks and indices that track the performance of digital assets for global institutions in the digital assets and traditional finance industries. CoinDesk Data - a broad suite of digital assets market data and analytics, providing real-time insights into prices, trends, and market dynamics. CoinDesk Insights – a digital asset media and events provider and operator of Coindesk.com, a digital media platform that covers news and insights about digital assets, the underlying markets, policy, and blockchain technology.

Reports to:

Director, Offensive Security and Vulnerability Management

The Bullish Offensive Security and Vulnerability Management (OSVM) team provides Bullish Global with the capabilities to ensure that our products and services are secure and meet the security obligations expected by our customers and regulators. The OSVM team helps to secure all of Bullish Global, which includes the Bullish Exchange, CoinDesk, and CCData. The OSVM team regularly performs manual security assessments and penetration testing across a variety of technologies, source code reviews, vulnerability remediation support, automated security testing, security tool development, and red-teaming.

We are seeking a Senior Offensive Security Specialist to join our Offensive Security team to help secure Bullish Global. In this exciting role, you will be a key player within an elite security team delivering industry-leading Crypto services. This role will work closely with product and engineering teams to deliver secure software. This work will include delivering a wide range of security capabilities across a modern technology stack. This role will also work closely with developers to diagnose, document, and remediate application security vulnerabilities.

The ideal candidate will be a mix of hacker, programmer and security enthusiast who has a special passion for the unique promise and challenge of a dynamic environment working with a variety of products and teams.

Responsibilities:

• Perform web application penetration testing, source code reviews, and/or network penetration testing.

• Perform mobile and API penetration testing.

• Support project tasks and deadlines for engineering teams spanning multiple time zones.

• Create unique tools to assist in scaling the security program.

• Exploit vulnerabilities found in product systems and clearly communicate complex vulnerabilities to both technical and non-technical staff.

• Create detailed technical reports explaining technical and business risk of the vulnerabilities found to include actionable recommendations/considerations.

• Provide technical leadership/mentorship to the security and engineering teams.

• Writing new tools and automation.

• Reverse engineering.

• Other duties as assigned.

Required skills and experience:

• 5+ years of relevant experience in cyber security.

• Experience in performing senior-level penetration testing and application security assessments, conducting design code reviews, applying offensive security methodologies, and demonstrating high ethical standards.

• Familiarity with attack tools such as Burp Suite, Nessus, Kali Linux and similar tools.

• Knowledge of common attacks and vulnerabilities including OWASP Top 10 and SANS CWE 25.

• Exposure to and understanding of various security assessment activities including Mobile application assessments (iOS and Android),web Services API assessments (examples: REST, GraphQL and Message Queues), and hardware/embedded systems.

• Basic proficiency in multiple mainstream programming languages such as C/C++, Java, JavaScript, Python, or Go.

• Ability to effectively assess risks and severity and communicate vulnerability impact to management and engineering teams.

• Solid understanding of network and protocol basics including IP, DNS, HTTP and SSL/TLS.

• Familiarity with basic cryptographic concepts including PKI, cryptographic algorithms, application of cryptography for encryption at rest and in motion.

• Solid understanding and experience with software development practices across larger organizations, Agile fundamentals, Continuous Integration/Testing/Delivery tools and techniques, and familiarity with scanning and intelligence tools, including Vulnerability Management, SAST, DAST, OSA, and API traceability.

• Experience with public cloud concepts, architectures and tools (AWS, Azure and/or GCP).

• Proficiency with basic Linux systems privilege and permission models, admin and operational concepts, and basic scripting.

• Holder of Application Security and Penetration Testing certifications such as OSCP, OSCE or OSWE; other Information and Cyber Security certifications

• Inhouse and third party penetration testing experience

Bonus:

• Strong self-starter who has the ability to operate independently.

• Possess restlessness and desire to break into things.

• Developed communications skills with ability to deliver concepts effectively to non-technical audience including senior leadership; proficiency in preparation of presentations, analytical reports, and documents regarding program operational status, achievement and performance.

• Experience of external communications including papers and conference presentations.

Bullish is proud to be an equal opportunity employer. We are fast evolving and striving towards being a globally-diverse community. With integrity at our core, our success is driven by a talented team of individuals and the different perspectives they are encouraged to bring to work every day.