DevOps Security Engineer

This is a fully remote position, open to applicants in Germany.

📋 Description

• Take charge of the security posture for all products: Legacy, Trading Bot, and upcoming platforms. If a breach occurs, it falls under your responsibility, and if there are no breaches, it is a testament to your efforts.

• Carry out regular penetration testing, vulnerability assessments, and threat modeling in accordance with OWASP standards and methodologies.

• Ensure comprehensive coverage of the OWASP Top 10 in application security testing, code reviews, and deployment checks.

• Conduct security-centric code reviews across frontend, backend, and infrastructure code, identifying issues that standard code reviews might overlook.

• Implement and manage secrets management solutions (Vault, AWS Secrets Manager, or KMS), access controls, and least-privilege policies.

• Develop and maintain incident response playbooks. When incidents occur, you lead the response, conduct post-mortems, and implement fixes.

• Stay proactive against Web3 and crypto-specific attack vectors: phishing campaigns, wallet exploits, API key compromises, supply chain attacks, and social engineering threats.

• Oversee and coordinate external security audits and penetration testing conducted by third-party firms.

• Design and implement testing strategies across all products, including unit tests, integration tests, end-to-end tests, API tests, and regression suites.

• Develop and maintain automated testing frameworks and CI quality gates to prevent defective code from reaching production.

• Define and monitor quality metrics such as test coverage, flakiness rate, regression detection latency, and bug escape rate.

• Write and execute security test cases for authentication flows, authorization controls, input validation, API abuse scenarios, and edge cases involving financial data.

• Perform both white-box and black-box testing, utilizing full codebase access to identify issues that conventional QA may miss.

• Test across the entire stack, including frontend UI, backend APIs, database queries, third-party integrations, and on-chain interactions.

• Maintain and enhance cloud infrastructure on AWS using Infrastructure as Code (Terraform or CloudFormation).

• Manage CI/CD pipelines (preferably GitHub Actions) for automated testing, security scanning, linting, and deployment.

• Strengthen infrastructure security through network security, IAM policies, container security, and environmental isolation.

• Establish logging, monitoring, and alerting across all services (CloudWatch, Prometheus, Grafana, or similar).

• Ensure audit trails are maintained for user actions, system changes, and access events.

• Manage production reliability, incident responses, and cost optimization.

• Contribute production code for both frontend and backend, instilling a security-first mindset in every feature you develop.

• Collaborate with the engineering team to build features, resolve bugs, and implement improvements.

• Every line of code you write should enhance the product's resilience: focusing on input validation, error handling, authentication, and data protection by default.

• Engage in architecture discussions and code reviews, advocating for testability, reliability, and security in every decision.

⛳️ Requirements

• Over 5 years of experience in software engineering roles with substantial, hands-on security and QA experience. We will verify this; if your security experience is purely theoretical, this position may not be suitable for you.

• Full-stack development experience: capable of building and deploying features across frontend (React or similar) and backend (Node.js, Python, Go, or similar).

• Hands-on experience in penetration testing and vulnerability assessments for web applications, APIs, and cloud infrastructure.

• Strong understanding of OWASP standards, including the OWASP Top 10, OWASP Testing Guide, and secure coding practices.

• Experience in creating automated test frameworks and integrating testing into CI/CD pipelines.

• Proficiency in AWS (EC2, ECS/EKS, Lambda, VPC, IAM, S3, RDS, CloudFront, WAF).

• Familiarity with Infrastructure as Code tools (Terraform, CloudFormation, or Pulumi).

• Experience with container technologies such as Docker and Kubernetes in production environments.

• Proficient in scripting and automation using Bash and Python.

• Experience with secrets management tools (HashiCorp Vault, AWS Secrets Manager, or similar).

• Knowledge of security and testing tools (Burp Suite, OWASP ZAP, Selenium, Cypress, Jest, Postman, or equivalent).

• Excellent communication skills: able to clearly explain security risks and quality trade-offs to non-technical stakeholders.

• Nice-to-Have:

• Security certifications such as OSCP, CISSP, CompTIA Security+, AWS Security Specialty, or equivalent.

• Previous experience with a crypto, DeFi, Web3, or fintech product company (Coinbase, Phantom, Stripe, Casa, MetaMask, Zerion, Ramp, or similar).

• Familiarity with Web3-specific security challenges: wallet security, key management, on-chain monitoring, and phishing prevention.

• Background in SDET or experience in a hybrid development-and-testing role.

• Experience testing financial systems: payment flows, ledger integrity, double-spending prevention, or transaction monitoring.

• Experience with implementing zero-trust architectures.

• Participation in bug bounty programs, CVE publications, or contributions to open-source security tools.

🏝️ Benefits

• Competitive salary along with performance-based incentives linked to retention and LTV improvement.

• Direct exposure to company founders.

• Team offsite events.

• Flexible remote work options.

• A role that offers high ownership and significant impact.