R3 is an enterprise blockchain software firm working with a broad ecosystem of more than 300 members and partners across multiple industries from both the private and public sectors to develop on Corda, our open-source blockchain platform, and Corda Enterprise, a commercial version for enterprise usage.
Our global team of over 200 professionals in 13 countries is supported by over 2,000 technology, financial, and legal experts drawn from our global member base.
The Corda platform is already being used in industries from financial services to healthcare, shipping, insurance and more. It records, manages, executes institutions’ financial agreements in perfect synchrony with their peers, creating a world of frictionless commerce.
We are looking for a Security Research Engineer to join an amazing group of technologists to contribute to Corda, Corda Enterprise and other products in the Corda ecosystem. The role will revolve around securing the Corda platform, by undertaking vulnerability assessments, conducting research and contributing to all stages of the secure development life-cycle. This will require collaborating with the engineering team to understand the development process, and supporting development using threat modelling, architecture and design.
You will have a history of conducting application vulnerability assessments and will be able to clearly communicate your findings through report writing and close collaboration with the engineering team. Ideally you will have some knowledge of the secure development life-cycle and software engineering principles. You can work independently to research a problem domain to gain insight and subsequently deliver the work and solve the problem. You will be comfortable getting into the guts of a complex distributed system and be able to conceptualise its operation at many levels. Most importantly you are excited and motivated by the challenge of solving hard problems in a way that delivers to clients and delights them.
· Perform vulnerability assessments of the Corda platform under direction of the lead security engineer.
· Conduct security research to identify novel threats and mitigations that may impact the Corda platform.
· You will support the engineering team by
– Educating the team on relevant attacks, defence, mitigations and tooling
– Contribute to secure software development design guidance that addresses both the security and business needs
– Review source code to support the delivery of software
· Undertake threat modelling sessions and contribute to software designs.
· Support research and evaluate the state of the art within the distributed ledger space.
· First and foremost, we want you to love what you do. You’ll need to be a security evangelist within R3 and the community of Corda participants, both current and future.
· You’ll have five or more years experience in a direct information security role, with at least three of those specialising in application security assessment. We’d love to see evidence of other experience too, you might have been a developer or network operations person in a previous life.
· We believe that we work better as a team, and hope you share that belief. You’ll be working in a diverse group of people with a variety of skills and backgrounds, a high level of emotional intelligence will be assumed.
· You’ll need excellent communication skills, both verbal and written. You’ll be happy presenting to the company at all-hands meetings or explaining the impact of vulnerabilities you identity to a range of stakeholders.
· Good understanding of standard security vulnerabilities and their standard fixes and mitigations
· Ability to identity security issues at different stages of the SDLC – from architecture & design through to implementation
· Experience performing dynamic analysis of software using debugging tools
· Expertise in Java, Kotlin, or a similar high-level language
· PKI and Cryptography
· In-depth knowledge of Java and JVM internals is beneficial
· Reverse engineering experience
· Experience solving Capture-the-Flag challenges is a bonus!
· Develop tools to support vulnerability analysis
· Excellent written and verbal communication skills, including the ability to convey highly technical information to non-technical audiences.
· Build relationships with engineering teams to improve product security
· Using revision control systems