Senior / Staff Software Engineer - DevSecOps Security Expert (Developer)
Company: OKX
Buy BTC, ETH, XRP and more on OKX, a leading crypto exchange – explore Web3, invest in DeFi and NFTs. Register now and experience the future of finance.
Who We Are
At OKX, we believe that the future will be reshaped by Crypto, ultimately contributing to every individual's freedom. OKX began as a crypto exchange giving millions of people access to crypto trading and over time becoming among the largest platforms in the world. In recent years, we have developed one of the most connected Web3 wallets used by millions to access decentralized crypto applications (dApps). OKX is a trusted brand by hundreds of large institutions seeking access to crypto markets on a reliable platform that seamlessly connects with global banking and payments. In the last year, OKX has expanded into new markets including Australia, Brazil, Netherlands, Singapore and Turkey, with plans to launch in the US, Belgium and the UAE. We are deeply committed to shaping a fairer, more transparent and accessible society through blockchain technology. This is why we publish proof of reserves monthly, and continue to ship new innovative security features.
About the Opportunity
This opportunity focuses on supporting the development and iteration of the DevSecOps DAST scanning engine within security products, with a goal of enhancing scanning efficiency, detection rates, and coverage. You will analyze the scope and priority of identified vulnerabilities, develop and optimize scanning and suppression rules, and ensure accurate and reliable detection. Additionally, you will play a key role in governing existing business operations to strengthen security management and drive continuous improvement.
What You’ll Be Doing
- Develop and maintain the DevSecOps DAST scanning engine.
- Write and optimize DAST scanning rules based on complex application scenarios, verify vulnerabilities identified by the DAST scanning engine, and ensure the accuracy of vulnerability scanning and reproduction.
- Analyze the scope and priority of identified vulnerabilities, formulate false positive suppression rules, and improve the accuracy of vulnerability identification.
- Continuously iterate the DAST engine, optimize the scanning process, improve scanning efficiency and detection rate, and enhance scanning coverage.
- Collaborate with development, operations, and security teams to support vulnerability remediation and security improvements, providing recommendations for security hardening.
- Provide technical support and training to team members, promoting best practices in security governance.
What We Look For In You
- Minimum 5 years of experience in DevSecOps or related fields.
- Familiar with the principles and practical applications of DAST, capable of handling the development and construction of the scanning engine.
- Solid proficiency in Golang and/or Java, able to write automation scripts to support vulnerability scanning, remediation, and engine optimization.
- Proficient with DAST tools (such as AWVS, Xray, Burp Suite, etc.) for vulnerability scanning, and able to customize scanning rules for specific business needs.
- Able to analyze and address false positives and false negatives in the DAST scanning engine.
- Deep understanding of microservices architecture, with familiarity in vulnerability reproduction in microservice and RPC environments.
- Familiar with common web application vulnerabilities (such as SQL injection, XSS, CSRF, file upload vulnerabilities, etc.), their principles, and remediation measures.
- Familiar with the DevSecOps process, able to integrate DAST tools and scanning engines into CI/CD pipelines.
- Strong problem analysis skills and technical documentation writing abilities, capable of analyzing vulnerability reports and providing feasible remediation solutions.
- Good communication and teamwork skills, with the ability to collaborate closely with cross-functional teams to implement security initiatives.
Nice to Haves
- Experience with other security testing tools and methodologies.
- Relevant security certifications.
- Familiarity with containerization technologies and cloud-native architectures, with practical experience in DAST scanning in cloud environments.
- Experience in DAST engine development is a plus.
Perks & Benefits
- Competitive total compensation package
- L&D programs and Education subsidy for employees' growth and development
- Various team building programs and company events
- Wellness and meal allowances
- Comprehensive healthcare schemes for employees and dependants
- More that we love to tell you along the process!