استخدام Senior product security expert
{{ tooltipText }}
{{ hoverTitle }}
نشان کردن
حذف نشان
Role Overview
The Service Security Specialist will be responsible for evaluating and improving the security of Saraf’s applications, APIs, infrastructure, and internal services.
This is a technical and execution-focused role. The successful candidate should be comfortable reviewing application architecture, testing APIs, investigating security incidents, working with developers to remediate vulnerabilities, and improving security processes across the software development lifecycle.
Key Responsibilities
Perform security assessments of web applications, mobile applications, APIs, and backend services. Identify, validate, prioritize, and document security vulnerabilities. Conduct manual penetration testing and support automated security testing. Review application architecture, authentication flows, authorization controls, and sensitive financial workflows. Assess risks related to account takeover, privilege escalation, transaction manipulation, data exposure, fraud, and abuse. Work closely with backend, frontend, mobile, DevOps, and product teams to remediate security issues. Review source code for security weaknesses and insecure implementation patterns. Integrate security checks into CI/CD pipelines and development workflows. Improve secure coding standards, security checklists, and internal engineering guidelines. Review third-party services, vendors, SDKs, integrations, and external APIs from a security perspective. Monitor security alerts and investigate suspicious activity across applications and infrastructure. Participate in security incident response, root-cause analysis, containment, and post-incident reviews. Manage and evaluate reports received through Saraf’s vulnerability disclosure or bug bounty program. Verify reported vulnerabilities, detect duplicate or invalid reports, and coordinate remediation. Help define security logging, monitoring, alerting, and audit requirements. Conduct periodic access-control reviews for internal systems, production environments, and sensitive services. Support threat modeling for new products and high-risk features before launch. Maintain clear security documentation, risk reports, remediation plans, and management summaries. Stay informed about emerging threats affecting fintech, cryptocurrency platforms, APIs, cloud infrastructure, and financial applications. Required Qualifications
At least 3 years of professional experience in application security, penetration testing, product security, or a similar technical security role. Strong understanding of common web and API vulnerabilities, including the OWASP Top 10 and OWASP API Security Top 10. Practical experience testing REST APIs, web applications, authentication systems, and authorization mechanisms. Experience with tools such as Burp Suite, Nmap, Postman, OWASP ZAP, Metasploit, or similar security tools. Ability to manually validate vulnerabilities rather than relying only on automated scanners. Strong understanding of authentication, session management, access control, JWT, OAuth, API keys, and rate limiting. Familiarity with Linux, Docker, networking, DNS, TLS, reverse proxies, and common cloud or data-center architectures. Basic ability to review source code in at least one backend programming language. Understanding of secure software development lifecycle practices. Ability to clearly explain technical risks and remediation requirements to developers and non-security stakeholders. Strong analytical thinking, attention to detail, and ownership of issues through resolution. Preferred Qualifications
Experience working in fintech, banking, cryptocurrency, payment, brokerage, or other high-risk financial environments. Experience with PHP, Go, JavaScript, MySQL, Redis, RabbitMQ, or microservice-based architectures. Experience reviewing transaction systems, wallets, payment gateways, KYC processes, and financial settlement workflows. Familiarity with SIEM, WAF, IDS/IPS, EDR, secrets management, vulnerability management, and security monitoring platforms. Experience with cloud security, Kubernetes, container security, or infrastructure-as-code. Knowledge of mobile application security for Android and iOS. Experience with SAST, DAST, dependency scanning, secret scanning, and container image scanning. Familiarity with threat modeling frameworks and risk-assessment methodologies. Experience handling security incidents and conducting post-incident investigations. Security certifications such as OSCP, OSWE, eWPT, eWPTX, CEH, Security+, CISSP, or similar credentials.
Report line: To CTOCareer path: Product Security manager
«صراف» مجموعهای فعال در حوزه رمزارز است که با تمرکز بر توسعه محتوای تخصصی، در مسیر ساخت یک تیم محتوایی حرفهای و پایدار قرار دارد.
هدف ما تولید محتوایی دقیق، بهروز و قابل اعتماد برای مخاطبان بازارهای مالی و رمزارز است؛ محتوایی که هم ساده و قابل فهم باشد و هم از نظر کیفیت در سطح استانداردهای حرفهای قرار گیرد.