Security Engineer II

About This Role

Halodoc is looking for an individual who can adopt the mindset of an attacker to proactively identify security vulnerabilities and collaborate closely with cross-functional teams to promptly address them.

This role involves taking charge of the end-to-end secure development requirements, discovering vulnerabilities and security misconfigurations through Penetration Testing, Vulnerability Assessment, Threat Modeling, Red-teaming exercises, etc.

You are expected to provide the remediation strategy specific to the Halodoc product tech stack by carefully considering the tradeoffs between security and user experience.

Additionally, we are looking for someone passionate about exploring new technologies (i.e., LLM) and methodologies to constantly improve our security posture. We believe the successful candidate is a team player with excellent communication skills, creative problem-solving ability, and a strong passion for product security.

Security Engineer, Product Security

To apply for this position, you must have:

• Minimum 6 years of experience building and securing software, with at least 4 years focusing on Web or Mobile application security.
• Hands On Experience performing security design reviews, threat modelling, or security testing.
• Ability to analyze security requirements and design secure cloud solutions based on AWS services.
• Ability to utilize a variety of tools like Git, Jenkins, Artifactory, Gradle, Groovy, YML, and AWS security capabilities (WAF, SecurityHub, GuardDuty, Security Groups, IAM, etc).
• Relevant knowledge of modern web and mobile app security landscape, real-world attacks and mitigations.
• Enthusiasm for writing code, and helping others do the same.
• Excellent and professional communication skills (written and verbal) with an ability to articulate complex topics in a clear and concise manner.
• Proactiveness and be self-driven to be successful working in a remote environment.

Security Engineer, Product Security

Key Job Responsibilities:

• Conduct product/feature level Design Reviews, Code Reviews, Threat Modeling, Penetration Testing and Vulnerability Assessment.
• Discover vulnerabilities through Web, Mobile and API Penetration testing.
• Improve and oversee the configuration of Web Application Firewall (WAF) systems to safeguard the Halodoc applications against external threats and malicious attack patterns.
• Automate security test cases and guide the security team in writing both SAST & DAST custom rules as well as Cloud security automation.
• Implement new or improved technologies and tooling, such as SAST, DAST, SCA, etc., to strengthen Halodoc security posture and drive innovation while maximizing ROI.
• Investigate user security issues, utilizing product knowledge and logs to understand potential incidents and proposing improvements to monitoring for quicker detection and containment of the similar issues.
• Support Halodoc Bug Bounty program through triaging submissions, proposing remediations and determining the root cause and severity of the reported vulnerabilities.
• Take an active role in driving internal security and privacy initiatives.
• Interact directly with the security community regarding vulnerabilities and threats.
• Analyze, assess, and respond to the various security threats.

Good to have Qualifications:

• OSCP and or AWS Certified Security certification is a plus.
• Bug bounty experience is a plus.
• Solid experience in writing and reviewing code in at least one of the following programming languages: Java, JavaScript (Node JS), Go, Python.
• Research on AI-specific security threats including prompt injection, backdoor, privacy extraction.

Preferred Qualifications

Contributions to the security community (public research, blogging, presentations, etc) B.S. or M.S. Computer Science or related field, or equivalent experience