Senior / Staff Software Engineer - DevSecOps Security Expert

OKX • Full-time • Singapore, Singapore • 6d ago

Who We Are

At OKX, we believe that the future will be reshaped by crypto, and ultimately contribute to every individual's freedom. OKX is a leading crypto exchange, and the developer of OKX Wallet, giving millions access to crypto trading and decentralized crypto applications (dApps). OKX is also a trusted brand by hundreds of large institutions seeking access to crypto markets. We are safe and reliable, backed by our Proof of Reserves. Across our multiple offices globally, we are united by our core principles: We Before Me, Do the Right Thing, and Get Things Done. These shared values drive our culture, shape our processes, and foster a friendly, rewarding, and diverse environment for every OK-er. OKX is part of OKG, a group that brings the value of Blockchain to users around the world, through our leading products OKX, OKX Wallet, OKLink and more.

About the Opportunity

This role offers the opportunity to lead vulnerability management efforts from a security and compliance perspective, ensuring a complete governance lifecycle. You will analyze the scope and priority of vulnerabilities, develop scanning and suppression rules for SAST, DAST, and IAST, and contribute to the accuracy and efficiency of detection processes. In complex scenarios, you will reproduce vulnerabilities and establish standardized SOPs for vulnerability handling and secure coding practices. Additionally, you will focus on governing existing business operations to enhance overall security capabilities and ensure sustainable improvements.

What You’ll Be Doing

Govern security vulnerabilities discovered by SAST and DAST, complete the remediation process, and enhance overall enterprise security.
Integrate security requirements based on business scenarios, optimize vulnerability scanning and remediation processes, and improve handling efficiency.
Reproduce vulnerabilities in complex environments and optimize various SOPs for vulnerability handling and secure coding practices to ensure successful implementation.
Develop and maintain scanning rules and suppression rules for SAST, DAST, and IAST, including but not limited to Fortify, CodeQL, Xray, AWVS, etc.
Perform comprehensive code audits to improve vulnerability coverage, accuracy, and ensure code security and compliance.
Provide technical guidance and support to team members on security best practices.

What We Look For In You

Minimum 5 years of experience in DevSecOps or related fields.
Proficient in the principles and practices of SAST, DAST, and IAST.
Extensive experience using various scanning engines for code auditing and developing scanning rules.
Deep understanding of microservices architecture, with familiarity in reproducing vulnerabilities in microservice and RPC environments.
Knowledge of service chain tracking technologies.
Able to reproduce and resolve complex environment vulnerabilities identified by SAST, DAST, and IAST.
Strong development skills in Java and/or Golang.
Excellent problem-solving abilities and attention to detail.
Strong communication and teamwork skills.

Nice to Haves

Familiarity with application layer and cloud-native architecture, as well as related security governance.
Relevant security certifications.
Experience developing open-source security tools or involvement in the development and optimization of vulnerability scanning engines and governance platforms.
Familiarity with common web application architectures and their security vulnerabilities, with solid experience in vulnerability reproduction and remediation.