Senior Cloud Security Engineer

**About us**: Every day, the complex challenges of global shipping and logistics bring growing pains that fast-growing online brands struggle to negotiate. Getting products into the hands of customers quickly and affordably is a challenge for most. At Auctane, we serve and champion these merchants every day. Our software stack solves shipping and logistics problems that arise as merchants scale, so they can focus their time, energy, and resources on what matters most. Auctane is a team of shipping and software experts with a passion for helping merchants move their ideas, dreams and innovations around the globe. The Auctane family includes ShipStation, ShipWorks, ShipEngine, ShippingEasy, Stamps, Endicia, Metapack, Shipsi, GlobalPost, and Packlink. Our partners include Amazon, UPS, USPS, eBay, BigCommerce, Shopify, WooCommerce, and Walmart. **Why would I want to be a Senior Cloud **Secur**i**ty Engineer** at Auctane?** To drive forward securing our Cloud environments (80% AWS, 20% GCP) and using industry leading security tools/services with regards to towards 'security by design' / 'security as code' / 'Shifting Left' to help Auctance's journey from a DevOps to a DevSecOps culture. The role sits within the infosec team which is part of the larger R&D Tech function who work at scale, pace and with the latest architecture patterns and tech. We have a flat and open engineering culture where data, & evidence beats opinion and hierarchy, backed by honest and frank discussions. We passionately believe in forming autonomous, cross functional teams who are empowered to deliver our ambitious strategy. **What would I be doing?** - Architecting, designing and ownership of Cloud Security (Mainly AWS) including API Security and Container Security. - Developing the automation of security and compliance capabilities in support of DevOps processes (SDLC) - Architecting, designing and Policy ownership of a single WAF (Akamai or Imperva) solution across all Auctane Brands - Performing regular security reviews, vulnerability, risk assessments and audits - Building relationships with all staff to promote "Security by Design" throughout the Engineering Teams and wider business. - Being part of the internal Infosec / cyber security incident process - investigate suspected attacks and help manage security incidents, including providing post-mortem analysis, identify causes, develop solutions and preventive measures - Responding swiftly to new and emerging security threats and vulnerabilities, investigate suspected attacks and be an integral part of the Information security incident process **What key skills and experience do I need?** - Detailed technical knowledge of vulnerabilities, threats, attack methods and infection vectors with Cloud Environments. - Hands on experience with a Cloud Security Posture Management (CSPM) tool. - A solid foundation in cloud native networking fundamentals & security controls, WAFs (Akamai & Imperva), IDS, IPS technologies, ability to construct custom signatures and investigate intercepted traffic/logs. - Experience of successfully implementing WAFs - Solid understanding of AWS security tools (Security Hub, GuardDuty and Detective) and the use of Config - Knowledge of EC2, S3, ECS and Fargate security best practices. - Ability to visualise the security posture of our AWS environment and prioritisation of associated risks. - Able to review basic HashiCorp Terraform Syntax and advise engineering teams on how to secure and deploy their Terraform code. - Experience of running "Threat Modelling" for teams and products with reference to secure engineering principles, and standards (eg OWASP\CIS\NIST) - Able to balance the demands of delivering high quality and demanding timescales. - Hold yourself accountable to delivering on your commitments. - Your every action demonstrates that collaboration is the best way to deliver awesome products **It would be great if you also could bring** - Knowledge of automated tools to secure infrastructure as code: Cloud Custodian - Knowledge of code training platforms ie Secure Code Warrior - Willing to attend conferences, webinars and meet-ups and share the learning. - Experience of using automation to solve complex problems - General development knowledge: - At a high-level how an engineer builds and deploys code from their IDE through the pipeline and to production. - Of a typical pipeline build (Jenkins or TeamCity) and therefore can advise teams on how to implement steps to automate security tools ie Static Application Security Testing (SAST) or Software Composition Analysis (SCA) as part of the build - A desire to constantly challenge the norm **What we offer**: - Stock options - Personal Training Budget: Up to 2.000€/year training budget (certifications, conferences attendance, etc.) to invest in your professional development. We want to help you improve your technical skills, feel involved in the product community, and develop your soft skills in ord