roles-and-responsibilities.md

description
Security roles at Rocket.Chat

Roles and Responsibilities

Junior Security Engineer	Vulnerability management: Analysis and report of vulnerabilities using a variety of sources. Internal pentest focused on infrastructure and web application. Education of developers on best practices for secure coding. Review security alerts. Participate in projects related to security. Support to bug bounty programs. Access control activities. Participate in forensic analysis. Support for more senior security engineers.
Senior Security Engineer	In addition to a junior security engineer, a senior security engineer also does the following. Leverage understanding of fundamental to advanced security concepts. Constantly improve product security. Triages and handles/escalates security issues independently. Leads one or more security initiatives. Conduct security architecture reviews and makes recommendations. Interview security candidates during hiring process. Detect and respond to company-wide security incidents. Log analysis. Security forensics. Develop and implement preventative security measures (detection, monitoring, exploitation). Vulnerability management - triage and manage vulnerabilities identified through scanning and manual efforts. Identify and mitigate complex security vulnerabilities before an attacker exploits them. Communicate risks and mitigations across multiple audiences with varying levels of sensitivity.
Staff Security Engineer	In addition to a senior security engineer, a staff security engineer also does the following. Research and implement technical and process improvements for security at Rocket.Chat. Discover security issues through penetration testing, source code review and design review. Communicate issues and their severities to teams across Rocket.Chat with clear recommendations for how to fix them. Assist with fixing issues as needed. Leads one or more security initiatives. Develop security training and guidance to internal development teams. Help review most important features and security fixes, also submitting pull requests. Maintain handbooks about best security practices. Provide subject matter expertise on architecture, authentication and system security. Assess security tools and integrate tools as needed into the development process, particularly open-source tools. Manage and grow bug bounty-like programs. Ability to discover and patch XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond). Write public blog posts and represent Rocket.Chat as a speaker at security conferences when necessary. Proactively identify and reduce security risks in our code. Find and replace vulnerable code and code libraries. Consult with other Developers and Product Managers to analyze and propose application security standards, methods, and architectures. Educate other developers on secure coding best practices.
Application Security Engineer	Work with project managers and technical leads to implement and improve processes regarding SDLC Define and implement an application security strategy Designing and implementing security controls within our application stack Generate and improve reports to guarantee that all processes are healthy Conducting code reviews and threat modeling to identify and mitigate potential security vulnerabilities Maintain and improve our current tooling that detects vulnerabilities in the development process Contributing security-focused feedback to engineers during all phases of the development lifecycle Seeking out opportunities to automate processes when appropriate Communicating risks to engineering staff through training and technical demonstration of vulnerabilities and secure design patterns Maintaining and creating secure development practices and programs for our engineering teams and external developers Acting as an ambassador for security within Rocket.Chat