Application Security Engineer (Security Team)

About our team

The Semrush Security Team comprises:

• Application Security Team.
• Infrastructure Security Team.
• Common Flow & Compliance Team.

As Semrush continues to grow, so does our necessity to simplify and automate workflows to meet the needs of our internal teams, partners, and external users.

The Semrush Security Team is a strong team, and the famous security researcher Andrey Leonov and other talented guys are with us.

We speak at conferences, hold internal and external events (CTF, meetups), do research work, and train employees on how to find vulnerabilities and defend against them.

The Application Security Team is working on complex and multi-layer software products, and as a member of AppSec, you will also be able to participate in building secure software development processes. We are not limited to basic workflows like DAST and SAST, we focus our efforts on scalable investments in our engineering ecosystem to identify and drive high-impact security initiatives.

Tasks in the role

• Work closely with development teams to mitigate security vulnerabilities.
• Select, design, and implement security processes and tools for security testing of developed applications.
• Implement automated security solutions for delivery processes.
• Run monitoring and participate in vulnerability scans.
• Stay up to date on security technology trends and best practices.

You will also leverage your security skills to support and manage the Semrush bug bounty program, participate in our product security incident response actions and other operational appsec responsibilities.

Our ideal new team member considers the security landscape holistically, understanding there are many possible approaches and tactics to reduce risks.

Requirements

• You have an application security background with a focus on scalable approaches to product security.
• You have experience with threat modeling, security design reviews, and security architecture.
• You have excellent written and verbal communication skills and are able to translate security objectives to engineering team tasks.
• You have experience partnering with cross-functional teams to deliver widely impactful security initiatives.

They say there are no perfect candidates, but that might well be you if:

• Participation in bugbounty, HTB, or CTF and the ability to confirm participation with links to the results.
• You have experience with Gitlab / Github, CI/CD, and YAML pipelines.
• You know the subtleties, can read source code, and identify vulnerabilities in the code of one or more programming languages (Golang, Java, Python).
• Knowledge of one of the programming languages at a level sufficient to automate routine tasks.
• You are familiar with the modern web application development process.

We offer

• License for Burp Pro, Metasploit Pro and other hacking tools, as well as help from friendly colleagues.
• Access to online platforms HTB, pentesterlab.
• You are free to choose a work format. Work in the office or from home if you want. You can mix as well! Freedom is trending now. So are we.
• Flexible working day start that would suit a night owl and an early bird alike. You can start between 9:00 am and 12:00 pm.
• Private health insurance program. Life insurance.
• Agile approach to work (we’ll gladly teach you).
• Online English classes.
• Training / online courses and workshops / conferences / books to improve your hard and soft skills.
• Financial compensation for sports and hobbies (gym / dancing / languages / horseback riding / painting / wakeboard… and many more. It’s really up to you!).
• Corporate psychologist consultations. Mental health is as important as physical well-being.
• Awesome parties, team building and corporate events in different formats – both online and offline, depending on the current global situation. We can have fun in any case.

Semrush is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees. We do not discriminate based on race, religion, creed, color, national origin, sex, pregnancy, sexual orientation, gender identity, gender expression, age, ancestry, physical or mental disability, or medical condition, including medical characteristics, genetic identity, marital status, military service, or any other classification protected by applicable local, state or federal laws. All employment decisions are based on business needs, job requirements, merit, and individual qualifications.