Senior Security Engineer, Product Security
At Ocrolus, we believe companies work best when they focus on their core business and let automation do the rest. We’re powering the digital lending ecosystem and help financial services firms make high-quality decisions with trusted data and unparalleled efficiency.
Ocrolus’ Human-in-the-Loop document automation software analyzes documents with over 99% accuracy. We're replacing legacy OCR vendors that cap out at 75-80% accuracy, and augmenting the robotic work that humans are prone to doing all too often – which can be expensive, error-prone, and slow. By empowering lenders to analyze diverse sources of financial data more efficiently, Ocrolus levels the playing field for every borrower, providing expanded access to credit at a lower cost.
We’ve raised over $100 million from blue-chip investors and are working with customers like PayPal, Brex, SoFi, Blend and Plaid. Join us as we build the future of fintech, and make an impact at an award-winning, high-growth startup that Forbes recently dubbed the “Next Billion-Dollar Startup”.
Ocrolus is a fast-growing financial technology SaaS (Software-as-a-Service) organization. We are building a world-class security program to secure Ocrolus and our customers' data. We are looking for diverse security practitioners to help us design, build, and scale product security at Ocrolus. We value critical thinking, creativity, data-driven and intelligence-driven approaches, and offensive experience. We believe security is a collaborative process, where security is a partner to help achieve business goals securely. We believe in saying “yes and;” instead of “no” when recommending security objectives. We don’t believe in using fear or penalty for the enforcement of security policies and processes, and we will always provide evidence and justification for security controls.
What you’ll do:
- Work with the CISO in building the product security roadmap, strategy, and vision.
- Conduct design and architecture reviews for Ocrolus products and infrastructure.
- Perform code reviews and application security assessments.
- Engage with the development teams to conduct secure design reviews/threat modeling exercises.
- Identify vulnerabilities/threats that could affect Ocrolus products through independent research and work with the developers on workarounds/mitigation plans.
- Be the go-to person for developers in solving critical issues relating to secure product development.
- Run penetration testing targeting critical data, services, and environments. Report underlying security issues and propose enhanced security protections.
- Write and disseminate security guidelines for common security issues, remediation, and security technology baselines.
- Guide engineering teams on secure coding and testing principles/practices.
- Be a role model for the team and provide a healthy platform for the team to learn and grow.
- Build relationships with stakeholders throughout the engineering and product organizations.
- Spread security culture throughout the organization.
What you'll bring:
- 5+ years of experience working in product/application security roles.
- A passion for identifying vulnerabilities and exploitation techniques.
- The ability to interpret and explain multiple classes of vulnerabilities such as cross-site scripting, SQL Injection, CSRF, cryptographic-related weakness, and code injection to various audiences, such as development and management teams.
- Experience in designing and building a wide variety of technical security controls.
- Experience in performing threat modeling, design reviews, code reviews, web application security testing, and enterprise cloud penetration testing.
- Stellar understanding of secure software development lifecycle (SDLC) and ability to integrate security practices and threat modeling into development processes.
- The ability to automate product security processes and optimize productivity with SAST & DAST tools.
- Experience in cloud security architecture and infrastructure.
- Good proficiency with a programming language (e.g., Java, Python, Go, Bash).
- Good Knowledge of authentication, authorization, and access control mechanisms, cryptographic algorithms, and secure network communication protocols
- Self-driven with great communication and prioritization skills.
Additionally (a plus)
- Published CVEs / articles on application security
- Contributions to open-source security software
- Certified in application security, pen testing (e.g., OSCP)
We take pride in our dynamic, diverse team, unified by shared values of Empathy, Curiosity, Humility and Ownership. We love what we do and the people we do it with, which is why we welcome every individual, provide them with equal opportunity irrespective of their race, gender, gender identity, age, disability, national origin or any other legally protected rights that one has.
We look forward to hearing from you!