Dfns
Pr/Sr Application Security Engineer
Dfns is a cybersecurity company that builds custody SaaS protocol for web3 apps. Think of it as a developer tool that provides secure cloud for crypto. Our mission is to bring serenity to DeFi by eliminating new blockchain risks and making crypto transactions easier, faster, more affordable, and compliant with existing regulations.
From fintechs to large banks to e-commerce sites, Dfns gives financial institutions and businesses the freedom to own and transfer crypto on a battle-designed security infrastructure. Our API is designed to offer best-in-class developer experience allowing any platform to deploy custodial wallets in a matter of days, with streamlined feature delivery and frequent security upgrades.
Founded in 2020 in Paris, Dfns is a startup incubated at Station F (awarded Future 40), accelerated by Techstars and recognized DeepTech by the French Ministry of Economy. Our company is fully remote with offices in Paris, Amsterdam, New York, London, Stockholm, Sofia, and other cities.
Job Description
You will contribute to one of the most ambitious technology projects in crypto today: building a trustless custody infrastructure for the trillion-dollar digital asset industry.
Reporting directly to the CISO and leading the Application Security at Dfns. You will join an amazing team of leaders (CTO, VP of Research, CISO) and experts (InfraSec Engineers, R&D Engineers, OffSec Engineers) in a highly challenging and collaborative environment.
We are looking for a Senior or Principal Security Engineer to run Application Security within our company. You will have to demonstrate excellent surveillance and emergency response skills. You will need a strong commitment to security rules and knowledge of all hazards and threats to safety. Ultimately, you will work to ensure the security of our business information, employee data and client information throughout our entire network.
As Application Security Engineer, you will detect insecure features and malicious activities within our products. You will implement customized application security assessments for client-based asset risk, corporate policy compliance as well as conduct vulnerability assessment. You must have an advanced understanding of TLS 1.3, mTLS, DNS, TCP/IP, common networking ports and protocols, traffic flow, system administration, OSI model, defense-in-depth and common security elements. Your focus is not only limited to assessing whether vulnerabilities exist but also how those risks could be mitigated. The ideal candidate loves security and possesses both deep and wide infosec expertise. You will make things more secure by protecting system boundaries, keeping computer systems and network devices hardened against attacks and securing highly sensitive data.
Responsibilities
Your primary goal will be to create and preserve environments where employees, clients and assets are monitored, safe, and well-protected.
Your day-to-day projects will involve:
- Participate in application security reviews including security code review, architectural design review, and dynamic testing.
- Implement security and cryptography solutions
- Detect design and logical vulnerabilities
- Build and maintain threat modeling framework
- Help Software Engineers in security best practices.
- Own and perform application security vulnerability management.
- Support the bug bounty program.
- Facilitate and support the preparation of security releases.
- Support and consult with Product and development teams in the area of application security.
- Assist in the creation of security training.
- Assist in development of automated security testing to validate that secure coding best practices are being used.
- Assist in Pen-testing practices (purple teaming)
- Work with external pen testing firms
- Own the Secure SDLC process
- Managing the Security Champs program
- Taking initiatives to curb known abusive activity, and identifying unknown abuse vectors.
- Designing, researching, and executing attacks to challenge the blue team.
- Reporting on the red team engagements providing in-depth analysis of the security issues.
- Developing technical solutions and new security tools to help mitigate security vulnerabilities and automate repeatable tasks.
- Writing comprehensive reports including assessment-based findings, outcomes and propositions for further system security enhancement.
- Authoring blogs posts and doing talks at security conferences on vulnerabilities discovered.
- Facilitating cross-branch communication and know-how exchange between team members.
- Implementing security best practices and new ideas to encourage innovation within your team.
- Making proposals across several teams on cross-functional security initiatives.
- Keeping abreast of the latest developments in crypto, DeFi and blockchain to feed the company’s strategic orientations.
- Continually researching current and emerging technologies and propose changes.
Requirements
- At least 6 years of experience in the field of Information Security.
- At least 3 years of experience in Software Development.
- Experience in Digital Asset Wallets is a plus
- Familiarity with common libraries, security controls, and common security flaws.
- Deep understanding in Supply chain attacks
- Experience with OWASP, static/dynamic analysis, and common security tools.
- Deep understanding of network and web related protocols (such a TCP/IP, UDP, TPSEC, HTTP, HTTPS, protocols).
- Deep understanding in mTLS implementation
- Deep understanding in applied cryptography
- Experience in vulnerability management lifecycle.
- Familiarity with cloud security best practices.
- Demonstrate strong written and verbal communication skills.
- Be a huge fan of blockchain technology and cryptocurrencies.
- Experience implementing Security Certifications
- Understand full attack lifecycle
- BS (or equivalent) in Computer Science, Computer Engineering or related field.
- [Bonus] Hands-on experience and willingness to contribute to open source projects.
- [Bonus] Proven track record working on developer tools, cybersecurity software, infra products, and/or API products.
- [Bonus] Proven work experience in blockchain, DeFi and/or cybersecurity industries.
- [Bonus] Extensive knowledge about the crypto custody industry and its use cases.
Benefits
- Title: Senior Application Security Engineer
- Salary: $140-300K avg base range
- Equity: 0.1-0.3% (≈ €3.6-10.8M in case of €2B exit).
- Bonus: Peer and spot bonuses after 8 months with us.
- Location: Hybrid. You can either work in our offices, from home, or remote.
- Paid time off: No less than 30 days per year, plus national holidays.
- Employee benefits: Healthcare, life insurance, retirement plan, sponsored transportation, gym cards, food, Apple devices and home office equipment, tuition fee assistance, team retreats, and more.