This position is open exclusively for Ukrainian residents within Ukraine (preferably Kyiv or Lviv).
Cossack Labs is looking for a Mobile application security engineer to join our Security team and work with us on building and breaking software. If you are interested in designing and building security controls, working hand-in-hand with software developers, performing security assessments, this may be the position for you.
We are ready to invest time in your education if you are prepared to work diligently and responsibly. Alongside technical skills, we’ll teach you leadership, time management, business context, and how to keep improving cybersecurity despite the ever-increasing entropy of the world. You will: * Participate in security assessments of mobile applications (iOS, Android, Flutter, React Native). Focus on platform-specific security controls (biometrics, security storage, device capabilities, reverse-engineering protections). Perform analysis and threat modelling. * Treat mobile app as a gateway into a larger system, build security defences from app to the backend and back (transport protections, TLS pinning, anti-fraud systems). * Participate in SSDLC for our products and our customers’ products. Explain risks & threats, work together with developers to select security controls that would improve security without restricting usability/performance. * Stay up to date with emerging security threats, vulnerabilities, and controls (read articles and papers, follow CVE updates, understand how threat landscape is changing, understand how to apply described ideas, read NIST guidelines). * Dive into application security, infrastructure security, data security, IoT security, ML security with our team of skilled engineers. See related case study, written from an engineer’s point of view. * Share your work as conference talks, blogposts (see React Native security example), contribute to open source standards like OWASP.
We would expect you to have: * Experience in performing security assessment for mobile and/or web applications. * Ability to read code, understand business logic and spot security mistakes in different mobile-relevant languages, like Swift, Objective-C, Kotlin, Java, JavaScript, TypeScript, Dart. * Experience designing or implementing mobile security controls, as well as platform-specific controls (Biometry on iOS, screenshot protections on Android, etc). * Good understanding of OWASP MAS (MASVS + MASTG). * Be familiar with other application security verification and software maturity frameworks: OWASP SAMM, OWASP ASVS. * Understanding SSDLC (OWASP SSDLC, NIST SSDF). * An overall understanding of what information security is, how real-world risks and threats affect the choice of security controls. * Experience in popular security tools required for the job, or ability to learn them quickly (Burp Suite, network analysers, various SAST and DAST, dependency and vulnerability scanners).
As a plus you’d have * Mobile development experience. Experience with some tools of mobile stack: Xcode, Android Studio, TestFlight, Firebase, AppCenter, Bitrise, fastlane, etc. * Experience in jailbreaking/rooting your devices. * Experience in reverse engineering applications, bypassing TLS pinning, analysing source code. * Basic knowledge in cryptography: understanding the differences between symmetric and asymmetric cryptography, hashing, KDF.
What’s in it for you? * A sense of meaning and responsibility for those who seek purpose — we’re building "invisible texture of modern civilization“—bits of infrastructure finance, power grids, healthcare rely on, and we are trusted with very challenging aspects of it. * Competitive compensation with a flexible bonus scheme. * Hybrid work model: this position allows for a combination of in-office and remote work as needed. * UK, EU and USA clients. * Working at the crossroads of ML security, cryptographic protocol support, hardware protection, reverse-resilient mobile app development, and securing web apps for millions of users. * Public track record in the open-source aspect of our products. * Conferences, books, courses — we encourage learning and sharing with the community. Our team members share a lot in talks, workshops, and blog posts. * Paid vacation — 21 business days per year. * Paid sick leaves.
About Cossack Labs: We are a data security solutions company, providing custom bespoke solutions to innovative software development teams around the world. Our software is well-known amongst security-aware teams, recommended by OWASP, and popular for easily solving complicated security challenges. Apart from building “off-the-shelf” solutions, we design custom security controls for novel problems.
We work in the B2B space, with customers such as IIoT, AI / ML based systems, mission critical systems, robotics, navigation, power grid operators, payment processors, financial apps, legal companies, million-user customer applications. We cater to young ambitious startups and well-established enterprises, who use our software and solutions as core part of their security arsenal. Our customers are smart, but extremely demanding.
Markets: EU, UK, USA, UA.
More about this position -> cossacklabs.com/job/mobile-application-security-engineer/ Read more about us -> cossacklabs.com/about/
Not sure, but considering? Send us an email, connect in social networks, or just ping Anastasiia in Telegram directly.
