Application Security Engineer
Acronis is revolutionizing cyber protection by integrating backup, disaster recovery, storage, next-generation anti-malware, and protection management into one solution. This all-in-one integration removes the complexity and risks associated with non-integrated solutions and offers easy, complete and reliable data protection for all workloads, applications, and systems across any environment—physical, virtual, cloud, and mobile—all at a low cost.
Founded in Singapore in 2003 and incorporated in Switzerland in 2008, Acronis is truly a global organization with more than 1,900 employees in 33 locations in 18 countries. Its solutions are trusted by more than 5.5 million consumers and 500,000 businesses, including 100% of the Fortune 1000 companies. Acronis products are available through 50,000 partners and service providers in over 150 countries in more than 30 languages. Acronis is in an exciting phase of growth and expansion, recently receiving a $250 million investment from CVC Capital Partners, bringing the total valuation to more than $2.5 billion.
Acronis is a world leader in cyber protection—empowering people by providing them with cutting-edge technology that enables them to monitor, control, and protect the data that their businesses and lives depend on. We are in an exciting phase of rapid-growth and expansion and looking for a Security Engineer who is ready to join us in creating a #CyberFit future and protecting the digital world!
Application Security team works to make Acronis applications more secure against all kinds of threats. You will work with good guys on their responsible disclosure. You will find security bugs before bad guys do it. Together with the Development team, you'll change development processes and practices to ensure that such kinds of bugs will never appear in our code again. You will monitor the attacks and respond to them. You will create novel solutions to detect and advanced approaches to protect applications.
What you will do:
- Threat modeling: Think about how attackers can compromise a system and what protections are needed against them
- Secure Software Development Lifecycle: Help developers write secure code that minimizes vulnerabilities by implementing secure coding standards, techniques, and best practices. Define and approve security architecture of the developed solution.
- Security code reviews: Identify security vulnerabilities in source code before an application is deployed to production
- Vulnerability testing and analysis: Discover weaknesses once an application is deployed and advise development teams on remediation.
1. Deep understanding of modern cybercrime and complex attack techniques
2. Good knowledge and understanding of major attacks and recent security events
3. Proven presentation skills and fluent speaking English
4. Experience in malware analysis (windows executables, exploits, scripts)
5. Experience in penetration testing and understanding of exploitation techniques
- At least 2 years of experience in Application Security.
- Strong knowledge of the modern web, mobile, and network security. Experience in penetration testing and understanding of exploitation techniques for web and mobile applications.
- At least basic programming skills with Go, Python or other languages. You don't need to be a skilled developer, but you will need to find a common language with our RnD team, so at least some understanding is necessary.
- Any public researchers, tools, disclosed tickets will be considered a strong advantage. Wrote a blog post about your research or have a CVE? Please, be sure to mention it.
Please be ready to answer in an interview the following questions:
- What is the Same Origin Policy? Share your knowledge about Cross-site scripting contexts
- Describe any attack like SQL injection, XXE, SSRF, or any other. Suggest right fixes and possible bypasses
- (Windows Security) Your opinion about LPE from Admin to the System user
- How to count possible compromised accounts?
- Be ready to write a simple exploit or a few lines of code that allows checking some kind of attacking vector