Application Security Engineer

Job Description

Who are Tyk, and what do we do?
The Tyk API Management platform is helping to drive the connected world and power new products and services. We’re changing the way that organisations connect any number of their systems and services. Whether internal, external, public or highly encrypted systems, Tyk helps businesses drive value across the retail, finance, telecoms, healthcare, or media industries (to name just a few!)

If you’ve banked online, used an app to check the news, or perhaps even driven a connected car, API’s, and by extension, Tyk, make that possible. Founded in 2015 with offices in London - UK, London - Ontario, Atlanta and Singapore, we have many thousands of users of our B2B platform across the globe. Brands using Tyk range from Lotte, Bell, T Mobile, to RBS, Capital One and Vinci. We have a varied user base hailing from every continent – even Antarctica.

Our Mission

Tyk is on a mission to connect every system in the world. We’ve started by building an API Management platform.

Total flexibility, default remote, radical responsibility

We offer unlimited paid holidays and remote working from anywhere in the world, for everyone, Why? Tyk was founded on the principle of offering flexibility and autonomy to our employees, we believe this allows our employees to achieve their best results. It also means we can build the best possible team, location and working hours are no barrier.

If this sounds like an environment that you believe could work for you then read on to find out more.

The role:

We’re looking for an Application Security Engineer to be responsible for ensuring security from cyber threats and vulnerabilities as well as collaborate with software developers and IT teams to integrate security protocols into the development process and conduct regular security audits to assess and improve the overall security posture of the applications.

Here’s what you’ll be getting up to:

• Review our current approach to security within the software development lifecycle (SDLC), and building a situation assessment and / or opportunity canvas which allows us to shift left on security
• Build clear and compelling security strategies which reduce our post-launch exposure and our post-launch security rework
• Builda clear set of product security metrics which are used to both provide a health baseline and to demonstrate improvement over time
• Create a best practice policy to ensure security by design, and working with product teams to embed these processes and measure their impact
• Maintain security risk and issue logs for products with the express aim of mitigating security risks before they become issues
• Design and communicate best practice processes and tooling, such as threat modelling and horizon scanning, which allow the product teams to ensure we are identifying risks and have clear plans to mitigate them
• Build a roadmap of vendor upgrades which we need to effect to keep secure, and ensure these are fed into the relevant product domains
• I am creating and maintaining a vulnerability register, and working with product teams to remedy these
• Advise on scanning techniques and tooling (such as OWASP, licensing) which allow us to find and remedy vulnerabilities ahead of code merge
• Work with Operations teams to provide data and answers to support ongoing compliance initiatives, such as SOC2 and ISO
• Respond and update publicly to any of our responsible disclosure programs (Zerocopter, CVEs etc) to ensure Tyk is seen as responsive and responsible
• Assist the QA team with the pen test process, designing pen test scope, transferring results to vulnerability registers, and ensuring product team assessment and resolution of vulnerabilities
• Optimise existing tooling (SonarCloud / Dependabot) and introducing new tooling where appropriate to reduce risk, then work with the product teams for easy adoption
• Run the post mortem process when required for high impact security issues which slip into production, and ensure root cause actions so it never reoccurs
• Assist post and pre sales functions with security queries, or closing gaps identified by customers and prospects

Requirements

• A good understanding of API management, Golang, containers (i.e. Kubernetes), distributed cloud providers (AWS, GCP), packages and distros (i.e. Docker), deployment tooling (i..e Terraform, Ansible)
• Deep SDLC knowledge
• Deep security knowledge
• Deep working knowledge of security frameworks and protocols, OWASP, Cyber Essentials etc
• Data led strategy derivation and continuous improvement

We all share the same vision - we value authenticity, respect, responsibility, independence, honesty, diversity and inclusion and most importantly treating others how you wish to be treated. We look for like-minded people who bring their personalities to work everyday, strive to achieve their personal goals and who are willing to challenge the way we do things, why? - to make what we do even better!

Our values tell the story of Tyk - here’s how:

• It’s ok to screw up!

We’ve found that it’s often the ‘stupid’ or unexpected ideas that turn out to be the successful ones - so try it, at least we can say we have!

• The only stupid idea, is the untested one!

It’s in our DNA - starting a business with founders 12 hours apart, giving our gateway away for free - sure, we did that, and we’d do it again!

• Trust starts with you - make it count!

Trust is a two-way street - instil it from day one!

• Assume best intent!

We have each other’s back - we’re all on the same team. Think before you speak or act.

• Make things better!

Always try to leave things better than when you found them - change is constant, inevitable and embraced! Be that change we want to see.

What’s it like to work here?! check it out: https://tyk.io/worklife/

Tyk is an equal opportunities employer and we are determined to ensure that no applicant or employee receives less favourable treatment on the grounds of gender, age, disability, religion, belief, sexual orientation, marital status, or race, or is disadvantaged by conditions or requirements which cannot be shown to be justifiable.

You can see more about us here https://tyk.io

Benefits

Here’s why you should join us:

• Everyone has unlimited paid holidays.
• We have total flexibility in hours, as we believe creativity flows better when our people are given freedom to decide when they are most productive. Everyone is unique after all.
• Employee share scheme
• Generous maternity and paternity leave
• Volunteering Days
• Company retreats
• Employee Wellbeing platform