Security Engineer

- Candidate MUST be extremely proficient with Ruby on Rails, Burp Suite, and HTTP Requests.

- Review and triage SAST output for relevance, accuracy, and priority.

- Construct and modify HTTP requests manually using Burp Suite, focusing on potential parameter tampering, broken authorization, and resource exposure.

- Confirm findings against real application behavior without relying solely on code review (must manually validate findings whenever possible).

- Identify authorization enforcement mechanisms in Ruby on Rails (e.g., before_action filters, current_user patterns) and locate lacking authorization checks.

- Must possess the ability to read, comprehend, and critically analyze API documentation and API specifications to properly reproduce/manually validate SAST findings.

- Manually trace code execution paths in Ruby on Rails applications to determine whether insecure object references are present.

- Utilize Kibana and other logging/monitoring tools to trace request/response flows and gather evidence during validation efforts.

- Provide detailed, well-documented vulnerability reports, including:

Clear reproduction steps

Code-level root cause analysis

Security impact assessment

Mitigation recommendations

- Collaborate with AppSec engineers and developers to ensure findings are properly understood and prioritized.

- Help maintain and refine internal processes for IDOR detection in static code analysis, incorporating lessons learned from validations.

- Participate in deep dives into specific Rails patterns that may introduce authorization risks (e.g., mass assignment, nested resources, improper before_action usage).