Cimpress N.V. (NASDAQ: CMPR) is the world leader in mass customization. For 20 years, the company has focused on developing software and manufacturing capabilities that transform traditional markets in order to make customized products accessible and affordable to everyone. Cimpress’ portfolio of brands include Cimpress, Albelli, Drukwerkdeal, Pixartprinting and others serve many customer segments across many applications for mass customization. The company produces more than 80 million unique products a year via its network of computer integrated manufacturing facilities.
As the Lead Security Engineer, you will be responsible for working with Senior IT Security staff and multiple IT organizations on projects and information security research that impacts the security profile reducing risk and exposure of the Cimpress and related brands infrastructure. This position requires broad IT background, knowledge of Information Security concepts, control and compliance as well as strong communications skills to effectively manage processes and projects with cross-functional teams.
This is a hands-on position requiring a person with a great deal of system management experience together with a thorough understanding of various security principles.
- Vulnerability Management – Identification and management of vulnerabilities in commercial, open source and custom software.
- Penetration Testing – Ability to exploit vulnerabilities by conducting regular penetration tests on Cimpress and its Business Units.
- Interact with Governance, Risk and Compliance groups as required to help prioritize risk and assess compliance status.
- Threat Intelligence – Prioritize and disseminate threat information including Indicators of Compromise and prioritize vulnerabilities based on active exploitation.
- Tool Development – develop or leverage open source tools to automate tests in CI/CD pipeline
- Assessment of tools for vulnerability management and penetration testing. Ability to conduct Proof of Concepts (PoC) or Request for Proposal (RFP) to determine best of breed solutions.
- Collaborate with business owners and developers to explain the associated risks of vulnerabilities to their specific environment or product.
- Minimum of 3 years of penetration testing experience.
- GPEN, CEH or GWAPT certification.
- Scripting experience in Python, Ruby, Go, or similar languages.
- Create integrations between security tools, or write new plugins as needed for existing tools.
- Experience with commercial and open source application and network/infrastructure vulnerability testing tools.
- The ability to conduct network and application level penetration testing with at least 3 years of experience.
- In-depth understanding of testing web-services (REST, SOAP, and Swagger) a big plus.
- Manage large amounts of threat and vulnerability data and create tool integrations.
- Compose penetration test reports and assist the compliance team with tracking and validating vulnerability remediation.
- Experience with PCI, SOX regulatory standards.
- Develop proof of concepts and deliver technical debriefs to engineers and developers as needed for penetration test findings.
- Keep up to date on the latest and most advanced offensive security techniques and frameworks.
- Collaborate with “Blue Team” members to help test and prioritize defenses.
Ideal candidate would have:
- CISSP, CEH, OSCP, GXPN or other information security certifications
- DAST or SAST experience, OWASP ZAP, Checkmarx, Veracode or equivalent
- Vulnerability and threat management experience in cloud services (AWS, GCP, Azure)
- Experience with various security tools and products (Tenable, Metasploit, etc.)
- Good understanding of the components of a secure DLC/SDLC
- Vulnerability analysis and application reversing skills
- Understanding of cryptography principles