Overview
Hi there!
We’re looking for someone to join our Engineering team at Prezi as a Security DevOps Engineer. Are you interested in designing and improving the security architecture of Prezi in order to protect the data of millions who are using our cloud productivity tool? Then read on…
We want you to feel comfortable and excited to apply to Prezi. First, our benefits might give a quick glance of how we value our employees. Second, even though our job description may seem like we’re looking for a specific candidate, the role inevitably ends up tailored to the person who applies and joins. Regardless of how well you feel you fit our description, we encourage you to apply if you care deeply about building secure products in secure ways. We hire for potential and mindset, not existing hard skills. With that said, you ideally:
- get excited about finding potential edge-cases (like “what can go wrong?”) or misuses regarding security
- have experience with public cloud providers (preferably AWS)
- already wrote some complex services, preferably in Python
- feel end-to-end responsibility towards your services and everything you do (from design to the very last exception you get)
- understand how the Internet works (from IP subnets to HTTP headers)
- know and love continuous delivery, clean code, Linux and Docker
- think critically and are ready to challenge the status quo in a constructive way
- have strong English communication skills, both spoken and written
Some of the challenges we have in our sight right now:
- Implementing meaningful security controls in line with agile practices, devops and SOC2
- Hardening our critical infrastructure components (from super detailed auditing to confining processes with Apparmor at scale)
- Building up and establishing a strong and effective internal security training program (maybe engineering-wide red/blue team games like capture the flag)
We believe that our stories can give you a way more honest and precise description of what is it like to work in our team:
“As a pentester, I thought I was making the world a better place. However, I had to realise that some companies don’t even fix the most critical bugs. I made a decision (which I still did not regret) and moved to the “defending side” where my job is now not just to discover the bugs but also to make them fixed. This makes me feel like a real superhero saving the world a bit every day.”
“When I joined the team, there were almost no security monitoring at all, so we decided to focus on this area. After a year, we had so many (false positive) alerts, we couldn’t handle it. Since there were no off-the-shelf solution satisfying our needs, we decided to write our own automated code review tool called Repoguard, then an automated infra review tool called Reddalert and lastly an internal SIEM solution to store, correlate and alert on (hopefully) true positive alerts only. I love to build stuff but only if I see the value of it (and I’m sure there is no better alternative). At Prezi, we make such decisions every day which is a challenging but very mind-blowing experience.”
“At Prezi, we accept that there is no unbreakable system – including ours. The best we can do is to raise the bar for the attackers every day and learn from our mistakes. This is exactly what we are trying to do by fine-tuning our security monitoring system every day and holding post mortem meetings whenever our defensive measures have failed us.”
“I switched from pentesting to the blue side so I can be part of building up a word class security team working effectively in an agile & devops environment. I believe that we have the rare opportunity of seeing and having an impact on Prezi while it is growing up from a small startup.”
“As a Product Owner I love working together with the team to cover all the aspects of security like reacting to potential incidents, developing tools and sometimes complex services in python for detecting risks, integrating different security products, evangelising security internally and tweaking company wide processes to maximise our impact. I believe working with so many things and keeping focus can be super challenging and to be honest sometimes even frustrating, but it definitely gives the opportunity to learn every day.”
“I never really liked to work on totally different projects for completely different customers one after another, as I had no time to fully understand the problem and put my heart and soul into the solution – just deliver the order on time. Working continuously on one product with 300+ people really enables me to fully identify with our product and the vision, understand all of it’s technical components from top to bottom and add my own ideas to it. I really love this feeling.”
“When a BugBounty researcher sent us the contents of one of our /etc/passwd files in a video, I though to myself: God, I love this job!”
“PagerDuty alerts tend to wait in the darkness until you close your eyes for a good night sleep or the entire team goes offsite for a conference or team building – it can be frustrating to deal with them, but you know, it’s part of the drill.”
“It’s kind of ‘Go hard or go home’ – except it’s not always easy to go home from such an awesome office!”
“AppSec, InfraSec, SOC, Compliance – for many companies, it’s 4 teams. At Prezi, it’s 4 engineers (for now…)”
If you would like to learn more about Prezi or the hiring process, please check out the FAQ section. If you are interested in more detail what Security team at Prezi does or did, here are some links to our open source projects, blog posts and presentations:
[presentation] What we learnt from running our Security Operations Center @ BSidesLjubljana 2017
[tool] Reddalert to detect risky security changes in AWS
[tool] Repoguard to check and alert on any change in git repositories which might be interesting
[blog] How we defeated Heartbleed
[blog] Story of an awesome bugbounty submission
[presentation] Security alerts that are worth a phone call @ Hacktivity 2014 (video)
[presentation] Scaling Security @ Confidence 2014 (video)
