Senior Security Engineer, Insomnia

Kong • Toronto • 1d ago

Are you ready to power the World's connections?

Kong Inc., an industry pioneer in cloud-native solutions, empowers businesses worldwide to innovate and excel in managing their API-driven architectures. With numerous awards for innovation and security solutions, our commitment extends beyond technology to cultivating a workplace that celebrates diversity and fosters inclusion. Join us to be part of a company where your work impacts millions and where every team member is instrumental in driving success.

About the role:

As a Security Engineer specializing in Vulnerability Management and Testing, you will be critical in ensuring the security of Kong Insomnia. This role focuses on identifying, triaging, and closing vulnerabilities while leveraging advanced security engineering to build and update automated testing pipelines. You will bring expertise in automated security testing while remaining hands-on in manual testing and validation processes.

A key aspect of this role will involve researching and understanding all components of the Kong Insomnia platform, including the underlying technologies and dependencies. Binary analysis is a critical skill, and you will be expected to analyze and reverse-engineer parts of the Kong Insomnia to uncover vulnerabilities and security weaknesses.

Your contributions will directly impact the security of Kong’s products by integrating robust security measures into CI/CD pipelines, conducting in-depth testing, and working closely with development teams to remediate vulnerabilities effectively and efficiently.

What you'll do:

This position will be responsible for performing Comprehensive Security Testing and Analysis:

Conduct both automated and manual testing to uncover vulnerabilities: 1. Static Analysis: Detect insecure coding patterns during development.

Tools: GitHub Advanced Security (CodeQL), SonarCloud, Checkmarx CLI.

Dynamic Application Security Testing (DAST): Identify runtime vulnerabilities such as XSS or SQL Injection.
- Tools: OWASP ZAP CLI Runner, Burp Suite.
Fuzz Testing: Discover unknown vulnerabilities through randomized inputs.
- Tools: ClusterFuzzLite, libFuzzer.
Dependency Analysis: Identify vulnerabilities in third-party libraries and components.
- Tools: Dependabot, Snyk CLI, OWASP Dependency-Check.
Environment Simulation and Sandboxing: Test software in isolated environments to simulate real-world attacks.
- Tools: Docker, Minikube, Cuckoo Sandbox.

Responsibilities

Vulnerability Triage and Management: Identify, prioritize, and track vulnerabilities from multiple sources, including automated tools, penetration testing, and external reports. Collaborate with development teams to ensure timely remediation of findings.
This position will be responsible for Manual Testing and Validation: Conduct in-depth manual testing to identify vulnerabilities not covered by automated tools. Validate the accuracy of automated findings and ensure comprehensive coverage for critical systems. Provide detailed remediation guidance to development teams based on manual findings.
Work with Security Engineering to develop Automated Testing Pipelines: Design, implement, and maintain automated security testing pipelines using GitHub Actions. Integrate security tools into CI/CD workflows to enable continuous testing. Enhance pipeline efficiency by automating vulnerability identification, tracking, and validation processes.
Collaboration with Development Teams: Act as the primary security liaison for engineering teams, guiding secure coding practices and remediation strategies. Review and approve remediation actions to verify closure of identified vulnerabilities.
Process Development and Metrics: Establish workflows for vulnerability triage, testing, and closure. Develop and monitor metrics to measure the effectiveness and efficiency of vulnerability management processes.

What you'll bring:

To be effective in this role, you should possess most of the following skills and be eager to grow in the others:
Hands-on experience performing binary analysis to identify vulnerabilities and security weaknesses.
Direct experience using debuggers (e.g., GDB, WinDbg) to analyze binaries and investigate potential security flaws.
Expertise in building and managing automated security testing pipelines in CI/CD workflows.
Strong knowledge of static and dynamic application security testing tools and methodologies.
Hands-on experience conducting manual security testing, including penetration testing and vulnerability validation.
Proficiency in typescript/javascript
Experience working with development teams to remediate vulnerabilities and ensure secure software delivery.
Familiarity with secure coding practices and common vulnerabilities (e.g., OWASP Top 10, CWE/SANS Top 25).
Knowledge of modern security frameworks such as MITRE ATT&CK and NIST CSF.

Preferred Qualifications:

Experience with desktop applications.
Proven ability to automate complex security testing workflows.
Published tools or research related to security testing or vulnerability management.

Personal Characteristics:

Proactive and detail-oriented, with a strong drive for delivering secure solutions.
Effective communicator who can articulate security issues and remediation strategies to technical and non-technical audiences.
Collaborative and adaptable, thriving in fast-paced and cross-functional environments.

Upcoming Projects:

This role will lead and contribute to key initiatives to enhance Kong’s vulnerability management and testing processes, including:
Automated Testing Pipeline Development: Design and implement automated security testing workflows in GitHub Actions to ensure continuous vulnerability scanning.
Vulnerability Lifecycle Management: Establish comprehensive frameworks for tracking and closing vulnerabilities across Kong Gateway.
Hands-On Security Testing: Conduct manual penetration tests and validate automated findings to ensure thorough vulnerability coverage.
Collaboration with Development Teams: Partner with engineering teams to remediate vulnerabilities and improve secure development practices.
Continuous Improvement of Testing Tools: Regularly evaluate and integrate cutting-edge tools and methodologies into testing pipelines.
By joining Kong Inc., you will combine your expertise in vulnerability management, security engineering, and hands-on testing to ensure the security and reliability of our leading cloud-native API management platform. If you’re ready to take ownership of testing and remediation processes while driving innovation in secure software development, we’d love to hear from you!

Kong has different base pay ranges for different work locations within the United States, which allows us to pay employees competitively and consistently in different geographic markets. Compensation varies depending on a wide array of factors, including but not limited to specific candidate location, role, skill set and level of experience. Certain roles are eligible for additional rewards including sales incentives depending on the terms of the applicable plan and role. Benefits may vary depending on location. US based employees are typically offered access to healthcare benefits, a 401(k) plan, short and long term disability benefits, basic life and AD&D insurance, among others. The typical base pay range for this role in Canadian is $144780 - $202825.

About Kong

Kong Inc., a leading developer of cloud API technologies, is on a mission to enable companies around the world to become “API-first” and securely accelerate AI adoption. Kong helps organizations globally — from startups to Fortune 500 enterprises — unleash developer productivity, build securely, and accelerate time to market. For more information about Kong, please visit www.konghq.com [http://www.konghq.com/] or follow us on X @thekonginc.