Senior Vulnerability and Risk Engineer
We’re Cruise, the self-driving ride-hailing service.
We are building the world’s most advanced self-driving vehicles to safely connect people to the places, things, and experiences they care about. We believe self-driving vehicles will help save lives, reshape cities, give back time in transit, and restore freedom of movement for many.
At Cruise, our engineers have opportunities to grow and develop while learning from leaders at the cutting-edge of their fields. With a culture of internal mobility, there's opportunity to thrive in a variety of disciplines. This is a place for dreamers and doers to succeed.
If you are looking to solve one of today’s most complex engineering challenges, see the results of your work in hundreds of self-driving cars, and make a positive impact in the world starting in our cities, join us.
We are looking for someone who understands how vulnerabilities translate to significant incidents in both traditional and cloud based environments. As a technical expert, you will translate requirements into scalable processes and technologies, formulate and prioritize risks, collaborate with asset owners to prioritize vulnerability remediation, and create measures and processes that ensure our efficient resolution of risks.
As the Staff Vulnerability & Risk Management Engineer you will report to the Director of Security Assurance and Trust. Given the nature of the role, you will be a point of contact for a wide range of teams and folks at all levels of the organization. We are ok with fully remote candidates.
What you'll be doing:
- Creation and review of requirements for vulnerability management systems
inclusive of their upstream and downstream dependencies - Detection, assessment, and ranking of vulnerabilities to ensure protection of our
most valuable resources from their most serious vulnerability exploits - Work with TPM, IT, and asset owners to achieve timely remediation actions
- Aid in the measurement and continuous improvement of the aforementioned
- Foster and maintain a fiduciary obligation with your stakeholders: be a credible,
reliable, and trustworthy partner and subject matter expert
What you must have:
- 5 years or more of related experience that demonstrates:
- Strong familiarity with commodity vulnerabilities via Nessus, Qualys, Prisma, Redlock, Twistlock, and like systems
- Fluency in all industry standard vulnerability types OWASP, CSA, and like
- Familiarity with vetting and disposition of non-commodity vulnerabilities via application security or red team findings; the ability to validate potential vulnerabilities or design remeditations to vulnerabilities with non-obvious mitigations
- Fluency in scripting with Python, shell, or like languages
- 3 or more years leading departmental initiatives / work that changes how your team, department, or cybersecurity program does work
- Fluency with agile or like structured planning framework; you must be comfortable and competent moving from high-level asks to UML like design while maintaining alignment and cohesion within the team
- Experience with cloud and container based deployments, using AWS/GCP, Kubernetes, Docker etc.
- Understanding of Linux, Mac, and Windows security controls.
- Experience communicating at all levels of the organization; meeting Cruiser’s at their level of expertise and the ability to bring others along will be critical to your success in this role
Bonus points!
- hackerone reputation score, Blackhat / Defcon presenter, or like bonafides
- One or more of the following certifications: OSCP, OSCE, GVEA, GCIH, GCED, or like
- Experience with security orchestration, automation, and deployment tools, and using Terraform