Security Engineer, Kraków
We have come a long way since our first currency feed 23 years ago, we are an award-winning global company offering leading currency solutions for both retail and corporate clients, from a tech start-up to a global corporation. Founded in 1996, we became the first company to share exchange rate information on the internet free of charge and in 2001, we launched a trading platform that helped pioneer the development of online-based trading around the world, enabling forex and CFD investors the ability to trade the financial markets. Our vision is to transform how our clients can meet all of their currency needs with innovative and award-winning solutions. Under new ownership with significant ambitions to grow the business on the global stage, we are looking for highly motivated, passionate individuals who want to make a mark in a dynamic environment.
OANDA is looking for a Security Engineer with an insatiable desire to use their development skills to apply and implement security best-practices in our full stack of products – including APIs, mobile apps, front-end websites, and a backend for a financial platform – deployed in both on-premise and cloud environments globally. In this role, you will be responsible for helping us “push security left”, and ensuring it is a core part of our operational and development processes across the organization. In addition, you’ll be responsible for the design and implementation of security-centric components of our product, including authentication and authorization, 2FA, and components that ensure the integrity and authenticity of customer transactions. In this role, you will be reporting to the CISO, and will haveteam members in both Poland and Canada.
- Build security-critical software components directly, and with the assistance of our development teams. We use JS, Go, Python, C++, and Java (among other languages!), and recognize that you may not be an expert in all of these but should have the ability to develop in, and navigate the security pitfalls of software written in at least a few of these languages.
- Work cross-functionally to apply defense-in-depth principles at every layer – you may find yourself working on anti-social engineering training on Monday, writing Terraform (infrastructure-as-code) to harden our cloud deployments on Tuesday, advising our marketing department on OpSec best-practices on Wednesday, reviewing C++ code for security vulnerabilities on Thursday, and writing a remediation to a security vulnerability on Friday.
- Work with our developers to identify and track key patches to libraries and third-party applications to mitigate supply-chain vulnerabilities.
- We believe that security is everyone’s responsibility, and that education is core to scaling our security function. Lead by example by engaging with other developers across the organization to demonstrate secure development principles through hands-on development engagements in our product platform. Help build a culture of security through continual advocacy and knowledge-sharing with your technical and non-technical colleagues.
- Help scale the impact of the security team through implementing DevSecOps practices – work with the development teams to set up automation tooling as part of our secure application development lifecycle, such as static code analysis, fuzzing, composition analysis, and other tools.
- You are a critical member of our internal blue team; Lead tabletop and blue team exercises to help prepare our platform and our teams for potential security threats. process.
- Perform code-review to ensure security- and privacy-by-design practices are followed.
- Make security accessible! Instrument and expose key security metrics from our internal and external environment, and automate key security workflows (for example, through ChatOps) to help make security accessible to your colleagues across the organization, ensure continual proactive monitoring, and to demonstrate the impact of security initiatives to business stakeholders.
- Roll your own cryptography algorithm (kidding!). Ensure we don’t do this, and instead apply cryptography best-practices to maintain secure applications of PKI and hashing across our products, and good secrets management practices in our on-premise and cloudenvironments.
- Work with Security Analysts on your team to evaluate and identify areas for improvement to mitigate potential upcoming threats and regulatory obligations.
- Work in both an on-premise and cloud-native environment, to harden databases, networking equipment, operating systems, docker containers, Kubernetes clusters, and cloud environments.
- Stay up to date with the latest industry best-practices and security landscape through involvement in security conferences and events (RSA, DefCon, BSides, etc).
Experience & Skills:
- Experience as a software developer is important, as this is primarily a security-focused development position.
- Experience in infrastructure concepts (networking, databases, cloud and on-premise infrastructure)
- Knowledge of privacy regulations (GDPR)
- Working knowledge of security standards such as SOC2, ISO27001/ISO27002, NIST,
- OWASP, SANS, etc.
- Experience working in the financial / FinTech industry is not required, but knowledge of industry-specific threats and the regulatory landscape is an asset.
OANDA Global Corporation is a diverse and global team with offices around the world. We value the unique skills and experiences each individual brings to OANDA. We are committed to creating and sustaining a collegial work environment in which all individuals are treated with dignity and respect and one which reflects the diversity of the community in which we operate. We provide an inclusive and accessible environment for everyone. Candidates selected for an interview will be contacted directly. If you require accommodation during the recruitment and selection process, please let us know. We will work with you to provide as seamless a recruitment experience as possible