Rakuten | Security Engineer

Security Engineer

Department Overview
In Rakuten Group, the security and safety of Internet services are guaranteed by the Cyber Security Defense Department (CSDD). CSDD covers all aspects of the Secure Development Life Cycle (SDLC) and operation security for all the services developed inside Rakuten Group.  

Why We Hire
Team expansion due to the increased demand for the work and the scope expansion.

Position Details
As a member of the CSDD Product Security Team, you will work closely with development teams to ensure Rakuten's products meet the expected security level by promoting effective integration of security best practices through Secure SDLC(Software/System Development Life Cycle). You will be expected to review and test new and existing products and deliver high-quality vulnerability and remediation reports for stakeholders across Rakuten group companies.

Responsibilities:
- Understand business requirements and define security requirements accordingly.
- Propose, design, and implement security solutions and controls in accordance with security policies, regulations, and security best practices.
- Stay informed of new and emerging cyber threats and evaluate their impact on Rakuten group.
- Interface with other technical departments such as application development, infrastructure, and ID management.
- Review product security design with firm techniques, such as document-based review, threat modeling, etc.
- Review application source code and infrastructure configuration to find vulnerabilities. 
- Perform automated and manual application penetration testing on Web, Mobile applications, APIs, and desktop applications to find vulnerabilities. 
- Report findings (vulnerabilities) with a summary, impact, and remediation recommendations in a written professional report, and verbal explanations to stakeholders.
- Integrate security scanners into CI/CD pipelines for automating security testing. 
- Develop automated tools and techniques to maximize efficiency in security operations 
- Provide security training for developers on security best practices. 
- Maintain technical security-related policies, regulations, and guidelines, and maintain compliance.

- Minimum 3 years of experience in Cyber Security related fields. 
- 2+ years of experience in web/mobile application security assessment. 
- Understanding of the core concepts of web/mobile applications and security issues . 
- Proven knowledge of network and web application protocols. 
- Proficient in one or more scripting languages, ex: Python, Ruby.   
- Strong teamwork capability in a diverse team environment . 
- Strong verbal and written communication skills. 
- Strong ownership and sense of responsibility. 

- Knowledge of security best practices and frameworks such as NIST, OWASP, CIS, etc. 
- Knowledge of indurstrial standard authentication technologies, including OAuth, OpenID, SAML, FIDO, etc. 
- Knowledge of cryptography and secret management. 
- Experience in Web/Mobile application development using major frameworks. 
- Experience in risk assessment, threat modeling, and security code review. 
- Experience in implementing security scanners (SAST, DAST, SCA, etc.) into CI/CD pipelines using commercial and open-source tools. 
- Experience in provisioning security awareness, training and education. 
- Experience with at least one major commercial cloud environment such as AWS/Azure/GCP and knowledge of cloud security and infrastructures like Infrastructure as Code(IaC), container(Docker), and orchestration(Kubernetes). 
- Holder of any security-related certifications, ex: GIAC, OSCP/OSCE, SSCP, CCSP, CISSP, and public cloud providers' certification.