Security Engineer for Penetration Testing

With over 60 million members, Credit Karma is working to make financial progress possible for everyone. Since 2007, we have been knocking down barriers that block the path to financial health, helping our members make informed choices and feel confident about their opportunities.

Security is a core value at Credit Karma. We help millions of people better manage their credit. Safeguarding their sensitive information is critical to our continued success. From the CEO down to each individual developer, everyone views security as a personal responsibility. Your unique mission as a Penetration Tester is to scale Credit Karma’s ability to automate tests against our mobile/web security controls.

* Build out a comprehensive testing framework which combines the forces of internal and external testing experts, security tools and services, engineering-driven threat models, and other superpowers into a juggernaut of sustained testing might. * Optimize the complete testing program by minimizing the cost-per-bug to acquire vulnerability data while maximizing the total number of bugs found. * Design security tests for new Credit Karma features, improve upon generic testing capabilities, and never run a test manually more than once. * Coordinate with architects to shape system design toward better testing coverage. * Recommend holistic bug fixes to address entire vulnerability classes instead of point patches. * Research and evaluate new attacks and threats as they relate to Credit Karma.

* B.S. in Computer Science or related technical major (M.S./PhD preferred) or significant job experience. * Minimum 5 years penetration testing experience, with significant mobile testing. * Development experience preferred. * Familiarity with common web application penetration testing tools including, but not limited to Burp, Fiddler, OWASP Zap, BeEF, and at least one commercial solution (WebInspect, AppScan, or similar). * Experience deploying enterprise security testing solutions. * Familiarity with common network vulnerability/penetration testing tools including, but not limited to, Metasploit, vulnerability scanners, Kali Linux, and Nmap. * Experience with debuggers, disassemblers, binary patch diffing (e.g. BinDiff). * Experience with testing automation suites such as Selenium. * Technical depth in many, if not most of the following areas: LAMP stack, Node.js, Scala/Java, iOS, Android OS, Windows Mobile, web services, and certificate pinning. * Familiarity with Secure Development Lifecycle practices and Agile development. * Thought leadership in the security field, with demonstrable contributions to industry groups strongly desired. * Artful communication skills and organizational savvy, to steer peers and leadership toward solutions that carefully balance business, risk, compliance, and engineering concerns. * Eagerness to challenge the status quo, balanced with a reasonable and methodical approach to effecting change. * A fun and positive attitude!