DevSecOps Engineer | 開發及運維安全工程師

About Us

Bowtie's mission is to create a digital insurance platform that brings greater good to consumers. As we grow towards that mission, we're looking for highly dynamic, hands-on and passionate talent to our team.

We Offer

  • Competitive salary
  • Fun, co-operative and flexible startup culture
  • Weekly sharing sessions and regular happy-hour gatherings
  • Flexible working hours
  • 5-day work week and Annual Leave
  • Benefits include medical/ dental coverage and wellness program
  • Professional Development Sponsorship
  • Hong Kong working visa sponsorship (onsite position)
  • Coaching by experienced engineers and domain experts
  • Direct exposure to various aspects of insurance operations
  • Agile task management

How to Apply

A description of your work history (whether as a resume, GitHub profile, LinkedIn profile, or prose)

About the Role

  • You will maintain and improve the reliability of the Cloud infrastructure by building and optimising CI/CD pipelines and automation
  • You will function as a cybersecurity player in the DevSecOps lifecycle, providing technical support for all aspects of the security life cycle for operation and engineering teams
  • As appropriate, you will be doing Architecture reviews and Threat Modeling of critical engineering work
  • You will help us scale the capacity and capability of the security team through automation, documentation, and safe default templating. One of our mottos is 'Never the same bug twice'. This is, undoubtedly, the most important way for us to scale default safely
  • As developers interact with critical code paths, you will be asked to provide code reviews and feedback on the proposed changes
  • You will review, pentest, and analyze existing code bases to uncover vulnerabilities, and help teams fix the bugs you find. You will also maintain the secure coding standard, and guarantee its effectiveness by automations in software development lifecycle

About You

  • Programming experience or ability in one of our core languages. At current inventory, we use JavaScript and Python mainly. You don't need to be a whiz, but we expect you to be able to write enough to push out fixes and simple features.
  • Strong understanding of AWS services and architectures
  • Fluency in a risk and threat modeling methodology. You don't need to be able to rattle off everything in the CWE as you iterate through STRIDE, but structure and fluidity in your analyses will really help you communicate efficiently across teams.
  • Mobile or Web Application Security experience. Be it source code audit, penetration testing, bug bounty triage, or code reviews, you'll be expected to examine code with security critical eyes.
  • Strong written and verbal communication skills, specifically on security topics. The work our team does is consumed by a startling number of audiences, so being able to effectively communicate across those people will be invaluable in stopping confusion and saving roundtrips.