DevOps Security Engineer
2 days ago
Barcelona
ph3About Legacy /h3 pLegacy is an easy-to-use, non-custodial Web3 wallet designed to protect digital assets through beneficiary protection and seamless DeFi access. Users can swap across chains, earn yield in one click, and safeguard wealth for the next generation. /p h3About the Software Division /h3 pWe are building a portfolio of software products inside the Decentralized Masters ecosystem, including: /p ul liLegacy Wallet - a non-custodial Web3 wallet with beneficiary protection and seamless DeFi access /li liTrading Bot - automated crypto execution tools for serious investors /li liFuture fintech and investor infrastructure tools /li /ul pWe are now building the retention and lifecycle engine that will power long‑term recurring revenue across all products. /p h3About The Role /h3 pYou will be the single person responsible for the security of a platform that tracks hundreds of millions in digital assets. That is the job. Everything else is secondary. /p pWe need someone who breaks things for a living. Someone who looks at a login page and sees six attack vectors. Someone who reads a pull request and catches the injection vulnerability that two senior developers missed. Someone who lies awake thinking about the phishing campaign that hasn’t been invented yet. If that sounds exhausting, this is not your role. If that sounds like Tuesday, keep reading. /p pYour primary responsibilities are security and quality assurance. You own penetration testing, vulnerability assessments, threat modeling, automated test frameworks, and CI quality gates across every product we ship. You also own infrastructure: AWS, CI/CD pipelines, monitoring, and incident response. And because we are a small, senior team, you will write production code when security and QA responsibilities are covered. You are not a consultant or a checkbox auditor. You are an engineer who ships, and whose code happens to make everything else harder to break. /p pThe ideal candidate has spent time at major product‑driven fintech and crypto companies where a single security failure can destroy user trust overnight. /p h3Security (Primary) /h3 ul liOwn the security posture across all products: Legacy, Trading Bot, and future platforms. If something gets breached, it is your problem. If nothing gets breached, it is because of your work /li liConduct regular penetration testing, vulnerability assessments, and threat modeling aligned with OWASP standards and methodologies /li liEnsure full coverage of the OWASP Top 10 in application security testing, code reviews, and deployment checks /li liPerform security‑focused code reviews across frontend, backend, and infrastructure code, catching what standard code reviews miss /li liImplement and manage secrets management (Vault, AWS Secrets Manager, or KMS), access controls, and least‑privilege policies /li liBuild and maintain incident response playbooks. When something breaks, you lead the response, run the post‑mortem, and ship the fix /li liStay ahead of Web3 and crypto‑specific attack vectors: phishing campaigns, wallet exploits, API key compromises, supply chain attacks, and social engineering /li liManage and coordinate external security audits and penetration tests from third‑party firms /li /ul h3Quality Assurance Testing (Primary) /h3 ul liDesign and implement test strategies across all products: unit tests, integration tests, end‑to‑end tests, API tests, and regression suites /li liBuild and maintain automated testing frameworks and CI quality gates that prevent broken code from reaching production /li liDefine and track quality metrics: test coverage, flakiness rate, regression detection latency, and bug escape rate /li liWrite and execute security test cases: authentication flows, authorization controls, input validation, API abuse scenarios, and edge cases around financial data /li liPerform both white‑box and black‑box testing, leveraging full codebase access to catch issues that surface‑level QA would miss /li liTest across the full stack: frontend UI, backend APIs, database queries, third‑party integrations, and on‑chain interactions /li /ul h3Infrastructure DevOps (Foundation) /h3 ul liMaintain and improve cloud infrastructure on AWS using Infrastructure as Code (Terraform or CloudFormation) /li liOwn CI/CD pipelines (GitHub Actions preferred): automated testing, security scanning, linting, and deployment /li liHarden infrastructure: network security, IAM policies, container security, and environment isolation /li liBuild logging, monitoring, and alerting across all services (CloudWatch, Prometheus, Grafana, or equivalent) /li liEnsure audit trails for user actions, system changes, and access events /li liManage production reliability, incident response, and cost optimization /li /ul h3Fullstack Development (When the fortress is secure) /h3 ul liContribute production code across frontend and backend, bringing a security‑first mindset to every feature you build /li liBuild features, fix bugs, and ship improvements alongside the engineering team /li liEvery line you write should make the product better and harder to break: input validation, error handling, authentication, and data protection by default /li liParticipate in architecture discussions and code reviews, advocating for testability, reliability, and security in every decision /li /ul h3Requirements /h3 h3Required /h3 ul li5+ years in software engineering roles with meaningful, hands‑on security and QA experience. We will verify this. If your security experience is theoretical, this is not the right fit /li liFullstack development experience: you can build and ship features across frontend (React or equivalent) and backend (Node.js, Python, Go, or equivalent) /li liHands‑on penetration testing and vulnerability assessment experience across web applications, APIs, and cloud infrastructure /li liStrong working knowledge of OWASP standards, including the OWASP Top 10, OWASP Testing Guide, and OWASP secure coding practices /li liExperience building automated test frameworks and integrating testing into CI/CD pipelines /li liAWS expertise (EC2, ECS/EKS, Lambda, VPC, IAM, S3, RDS, CloudFront, WAF) /li liInfrastructure as Code experience (Terraform, CloudFormation, or Pulumi) /li liContainer technologies: Docker and Kubernetes in production environments /li liScripting and automation proficiency in Bash and Python /li liExperience with secrets management tools (HashiCorp Vault, AWS Secrets Manager, or similar) /li liFamiliarity with security and testing tools (Burp Suite, OWASP ZAP, Selenium, Cypress, Jest, Postman, or equivalent) /li liStrong communication skills: you can explain security risks and quality tradeoffs clearly to non‑technical stakeholders /li /ul h3Nice‑to‑Have /h3 ul liSecurity certifications: OSCP, CISSP, CompTIA Security+, AWS Security Specialty, or equivalent /li liExperience at a crypto, DeFi, Web3, or fintech product company (Coinbase, Phantom, Stripe, Casa, MetaMask, Zerion, Ramp, or similar) /li liFamiliarity with Web3‑specific security concerns: wallet security, key management, on‑chain monitoring, phishing mitigation /li liSDET background or experience in a hybrid development‑and‑testing role /li liExperience testing financial systems: payment flows, ledger integrity, double‑spend prevention, or transaction monitoring /li liExperience implementing zero‑trust architectures /li liBug bounty participation, CVE publications, or contributions to open‑source security tooling /li /ul h3Benefits /h3 h3What We Offer /h3 ul liCompetitive salary + performance‑based incentives tied to retention LTV improvement /li liDirect exposure to founders /li liTeam Offsites /li liRemote work /li liHigh ownership, high‑impact role /li /ul /p #J-18808-Ljbffr