Security Engineer (Remote - Spain - Spanish required)

At Metricool, you'll empower professionals and small businesses worldwide to save time and achieve better results on social media, all while enjoying creativity and freedom.

You'll join a fully remote, international, and rapidly growing team that loves to innovate, collaborate, and simplify the work of community managers around the globe.

As a Security Engineer, you will play a critical role in designing, building, and maintaining secure and scalable software solutions. You'll be directly responsible for protecting our platform and data while collaborating with inspiring teams and enabling success stories for our customers.

In this position, you will be able to have a wonderful contribution and impact in different areas:

As a Security Expert:

• Fortify Platform Security: Load JavaScript resources exclusively from trusted domains by modifying code in JSP and Vue pages.

• Implement Robust Session Management: Ensure session cookies contain a valid 'SameSite' attribute by adjusting Spring Security configurations and JavaEE filters.

• Enhance Anti-CSRF Protections: Include anti-CSRF tokens in HTML form submissions, requiring expertise in Vue, Spring Security, and JavaEE.

• Ensure Safe Data Requests: Prevent data modification via GET methods using your deep JavaEE knowledge.

• Protect Against Information Leaks: Configure AWS Load Balancers, Nginx, and Apache Tomcat to prevent proxies from revealing information about the technology and its version used on the platform.

• Optimize Authentication Security: Ensure session cookies are not generated on unauthenticated pages by refining Spring Security and JavaEE settings.

• Enforce HTTPS Everywhere: Deactivate HTTP communication across the platform using AWS Load Balancers, Nginx, and Apache Tomcat.

• Deploy Advanced CSP Headers: Include strict Content-Security-Policy (CSP) headers in platform responses, ensuring CSPs do not allow access from unapproved domains.

• Eliminate 'Unsafe' Directives: Modify Vue pages, JSP, and Java classes to remove 'unsafe-inline' values in CSP ‘script-src’ and ‘style-src’ directives.

• Tighten CORS Controls: Correct server-side CORS configurations to permit responses only for allowed external domains by adjusting Spring Security and JavaEE filters.

• Prevent Sensitive Data Exposure: Refactor code to avoid passing user authentication information (tokens, session IDs, etc.) as query parameters.

• Mitigate Third-Party Risks: Regularly review and update third-party libraries using Maven, JavaEE, and Node.js to avoid known vulnerabilities.

• Craft Secure User Experiences: Suppress sensitive information in error messages through advanced JavaEE, Spring Security, and Vue techniques.

• Strengthen Cookie Security: Adjust Spring Security configurations and JavaEE filters to ensure cookies with sensitive data carry HttpOnly and secure flags.

• Combat XSS Attacks: Utilize Vue, Node.js, Spring Security, and JavaEE to ensure robust defense against Cross-site Scripting (XSS) attacks.

• Manage Secrets Responsibly: Conduct regular audits to ensure no secrets are stored in the code repository.

• Defend Against Injection Attacks: Develop preventive measures against code/command injection using JavaEE, Apache Tomcat, Nginx, MySQL, Cassandra, REDIS, and Linux.

• Use Cutting-Edge Cryptography: Implement modern, secure cryptographic algorithms.

• Protect Sensitive Data: Continuously evaluate and improve the security measures that protect sensitive information.

As a Team Member,

• Mentor and Inspire: Share your knowledge and empower your fellow engineers to grow.

• Solve Challenges Together: Work closely with your team to set goals, identify obstacles, and tackle complex security challenges.

• Collaborate Across Departments: Exchange ideas with other teams to create robust security resources for the entire organization.

Long story short: How will be your first days in Metricool?

• First month: For the first few weeks, we will ensure you understand your impact on the team and the business and learn about the team, the industry, and processes. You will meet every contributor on your team and understand their areas of expertise.

• First Quarter: Within the first three months, you will understand your team better, work autonomously, and begin sharing new ideas and creating a more significant impact.

• To the moon: You will become an active team member after this process. You will also understand how to reach objectives and set your strategies based on the company's goals.

Job requirements. You’ll be successful in your mission if:

• Proficiency in Docker (to launch ZAP or similar tools to define).

• Strong experience with ZAP, Linux, JavaEE, and Spring Security.

• Knowledge of REDIS and Cassandra.

• Solid understanding of Vue, Node.js, and the HTTP(S) Protocol.

• Familiarity with AWS services and Cryptography best practices.

• Fluent in both Spanish and English to effectively communicate with an international team.

What we offer:

• Remote Work Environment: Work from anywhere with the tools you need to succeed, and stay connected through platforms like Slack and Zoom.

• Annual Meetups: Join us once a year to build camaraderie and deepen team bonds.

• Health Care Plan: Enjoy private insurance after your probationary period.

• Competitive Salary: We offer a highly competitive salary, with ranges from €40,000 to €60,000 for senior roles.

• Professional Development: Access a comprehensive growth plan tailored to your professional journey.

• Language Lessons: Expand your language skills in English, Spanish, French, or German.

• Flexible Schedule: Work at your own pace while ensuring effective collaboration with your team.

• Flexible Remuneration Package: If based in Spain, allocate part of your gross salary toward tax-reducing expenses.

FAQs

Q: What operating system do we use?

A: It's your choice! We support both Apple and other systems, depending on your preference.

Q: What type of architecture do we have?

A: We work with a monolith architecture, internally deployed with service-oriented design, and a small bunch of AWS services.

Q: How do we manage tasks?

A: We use ASANA and follow a natural, flexible approach rather than strict Scrum methodologies.

Q: How do we review code?

A: We use Bitbucket for code review, with each member working on branches and submitting pull requests for peer review.