Security DevOps Engineer
Presentation software that brings your ideas to life and makes you a great presenter
If you have devops experience, you are interested in specialising in security and you are not afraid of working in a highly agile team dealing with both people, processes, infrastructure and code on a daily basis and for some weird reason you even enjoy reacting to outages or potential incidents, we might be looking for you! In our team nothing is set in stone, we are looking for someone to help us design and implement Prezi’s security architecture and program to protect the data of the millions who are using our cloud productivity tool.
Some of the challenges we have in our sight right now:
- Implementing meaningful security controls in line with agile practices, devops and SOC2
- Hardcore hardening of our most critical infrastructure components (from super detailed auditing, integrity checking to confining processes with Apparmor at scale)
- Building up and establishing a strong and effective internal security training program (maybe engineering-wide red & blue team games like capture the flag)
We hire for potential and mindset, not existing hard skills. With that said, you ideally:
- get excited about finding potential edge-cases, misuses and security even if that is not explicitly stated in your job description (aka you are a security enthusiast)
- have experience with AWS (especially IAM, EB and VPC)
- already wrote some complex services, preferably in Python
- feel end-to-end responsibility towards your services and everything you do (from designing them to the very last exception you get)
- understand the underlying and surrounding technologies such as Continuous delivery, Containers, Linux and the networking stack (from IP subnets to HTTP)
- think critically and are ready to challenge the status quo in a constructive way
- have strong English communication skills, both spoken and written
We believe that our stories can give you a way more honest and precise description of what is it like to work in our team:
- "As a pentester, I thought I was making the world a better place. However, I had to realise that some companies don't even fix the most critical bugs. I made a decision (which I still did not regret) and moved to the "defending side" where my job is now not just to discover the bugs but also to make them fixed. This makes me feel like a real superhero saving the world a bit every day."
- "When I joined the team, there were almost no security monitoring at all, so we decided to focus on this area. After a year, we had so many (false positive) alerts, we couldn't handle it. Since there were no off-the-shelf solution satisfying our needs, we decided to write our own automated code review tool called Repoguard, then an automated infra review tool called Reddalert and lastly an internal SIEM solution to store, correlate and alert on (hopefully) true positive alerts only. I love to build stuff but only if I see the value of it (and I'm sure there is no better alternative). At Prezi, we make such decisions every day which is a challenging but very mind-blowing experience."
- "At Prezi, we accept that there is no unbreakable system - including ours. The best we can do is to raise the bar for the attackers every day and learn from our mistakes. This is exactly what we are trying to do by fine-tuning our security monitoring system every day and holding post mortem meetings whenever our defensive measures have failed us."
- “I switched from pentesting to the blue side so I can be part of building up a word class security team working effectively in an agile & devops environment. I believe that we have the rare opportunity of seeing and having an impact on Prezi while it is growing up from a small startup.”
- “As a Product Owner I love working together with the team to cover all the aspects of security like reacting to potential incidents, developing tools and sometimes complex services in python for detecting risks, integrating different security products, evangelising security internally and tweaking company wide processes to maximise our impact. I believe working with so many things and keeping focus can be super challenging and to be honest sometimes even frustrating, but it definitely gives the opportunity to learn every day.”
- "I never really liked to work on totally different projects for completely different customers one after another, as I had no time to fully understand the problem and put my heart and soul into the solution - just deliver the order on time. Working continuously on one product with 300 more people really enables me to fully identify with our product and the vision, understand all of it's technical components from top to bottom and add my own ideas to it. I really love this feeling."
- "When a BugBounty researcher sent us the contents of one of our /etc/passwd files in a video, I though to myself: God, I love this job!"
- "PagerDuty alerts tend to wait in the darkness until you close your eyes for a good night sleep or the entire team goes offsite for a conference or team building - it can be frustrating to deal with them, but you know, it's part of the drill."
- "It's kind of 'Go hard or go home' - except it's not always easy to go home from such an awesome office!"
- "AppSec, InfraSec, SOC, Compliance - for many companies, it's 4 teams. At Prezi, it's 4 engineers (for now...)"
If you would like to learn even more about what we do or the team itself, here are some links to our open source projects, blog posts and presentations:
- [presentation] What we learnt from running our Security Operations Center / BSidesLjubljana 2017 - video and prezi: https://bsidesljubljana.si/learnt-running-security-operations-center-gyorgy-demarcsek-robert-kiss/
- [tool] Reddalert to detect risky security changes in AWS - https://github.com/prezi/reddalert/
- [tool] Repoguard to check and alert on any change in git repositories which might be interesting - https://github.com/prezi/repoguard/
- [blog] How we defeated Heartbleed - https://medium.com/prezi-engineering/heartbleed-defeated-cf84046d905b
- [blog] Story of an awesome bugbounty submission - https://medium.com/prezi-engineering/prezi-got-pwned-a-tale-of-responsible-disclosure-ccdc71bb6dd1
- [presentation] Security alerts that are worth a phone call / Hacktivity 2014 - video: https://www.youtube.com/embed/wwAgTgDLLhA?autoplay=1prezi : https://prezi.com/mdzriwr_-waa/security-alerts-that-are-worth-a-phone-call/
- [presentation] Scaling Security / Confidence 2014 - video: http://youtu.be/1fCURjTVih0 prezi: https://prezi.com/o44i9lrrqyka/scaling-security-confidence-2014-securityprezi/
Prezi is the cloud-based presentation platform that helps you connect more powerfully with your audience. Unlike traditional slides, Prezi’s open canvas allows you to navigate through topics freely, encouraging interaction and collaboration between you and your viewers. The result is conversational presentations that are more natural, more engaging, and more memorable.