Senior Offensive Security Engineer

Form3’s Offensive Security Engineering division is becoming rapidly more sophisticated in their approach to security testing. This team is tasked with identifying vulnerabilities and continually improving our resilience from attackers from the attacker’s perspective. With a wide range of tools and technologies available to you this is your opportunity to help Form3 protect its most important assets and services.

BENEFITS

• 30 days annual leave plus public holidays
• Remote friendly environment
• Remote working equipment allowance
• Health and wellness allowance
• Flexible working arrangements
• Learning days, Udemy and educational reimbursements
• Primary caregiver leave
• 4 hours of “investment time” per week, to spend working on projects that you are passionate about improving
• Mental Health support via Spill
• Perlego subscription 
• Full details are available on our careers page

Form3 appreciates that we all lead different and often really busy lives. We work remotely 100% of the time and many of us work part time. If you’re interested in hearing what different flexible working arrangements may be available, we’d love to chat.

• Penetration Testing the increasingly growing ecosystem of Form3.
• Conduct code reviews and security reviews of Form3’s Infrastructure (Cloud, Kubernetes).
• Participate in threat modelling sessions and help in vulnerability remediation.
• Maintaining and advocating the DevSecOps mindset we have created across the business.
• Creating new tools and methodologies to enable our team to deploy creative and effective threat assessments.
• Researching new security vulnerabilities, threats and exploits.

• Confidence within a DevSecOps environment, here at Form3 DevSecOps is our chosen methodology/ mindset so experience with automatic code analysis, IaC (Terraform preferably) security and CI/CD pipeline security reviews is critical here. This extends to having the ability to not only test but offer hands-on assistance in the remediation stages.
• In depth knowledge of Web Application penetration testing and experience with source code reviews. Manual penetration testing experience together with the ability to develop automated testing scripts.
• Experience in Cloud-Native/ Multi-Cloud offensive security engineering. Form3 is rapidly approaching it’s goal of becoming platform-agnostic, our OffSec team is tasked with offering business leaders a clear perception of the cloud threat landscape through extensive testing and research.
• Experience in Kubernetes and Container security reviews and exploitation. Running on a micro-service, distributed architecture, our OffSec team are challenged with finding and exploiting vulnerabilities and loopholes to ensure that our architecture is as secure and impenetrable as possible, networks and bare metal are included within this scope.

SPECIFIC DESIRABLES AND YOUR SPECIALISMS

• Strong programming skills, we are flexible on languages, we use Go as our main language for production so a willingness or interest to learn Go is fundamental. In security we write our own scripts for automation in Python, Go and other languages while contributing to open-source tools so we can utilise them.
• In-depth knowledge and capabilities using Linux and Unix technologies and how these can be used in the attack matrix to allow for privileged escalation and lateral movement.
• Active contribution to Open-Source projects and tools is highly encouraged at Form3 so prior interest in this is always welcomed.
• Keen interest in new and emerging threats, vulnerabilities and adversary advancements coupled with the ability to present these to the wider team.
• Qualifications: OSCP, OSWE, CCT App or Inf (or equivalent), CCSAS, CCSP, Cloud Specific Qualifications