Security Engineer (Red Team)

About PayPay

PayPay, a fintech company that has surpassed 70 million users in approximately 7 years since its service launch in 2018, is composed of diverse members from about 50 countries and regions.

We leverage the latest technologies, including AI, and data to achieve rapid service development and business growth. We are looking for colleagues who are passionate about professionally promoting the widespread adoption of cashless payments in Japan and its use as a financial life platform, and who will work with us to create new value for users.

About the Role

Team Introduction

This team's mission is to detect critical issues in the PayPay system before criminals do, by having white hat hackers act as simulated attackers and attempt to infiltrate the system. The team members have diverse backgrounds, but primarily consist of red team experienced individuals, network engineers, and SIEM log monitoring engineers. Many also have experience in various security industries and are leveraging their knowledge to advance sophistication.

Background of Recruitment

As new services, applications, and features expand, and as the number of employees and supply chains increases, monitoring points are growing. While we are strengthening the systematization of monitoring processes, it is urgent to address and counter various threats as the service and company continue to grow. Therefore, we are looking for colleagues who can strongly promote a zero-security incident environment and support PayPay.

Specific Job Responsibilities

As the department responsible for risk and security, you will be in charge of information security-related tasks necessary for PayPay's business development. Specific tasks include:

• Advanced vulnerability assessment, including manual methods, and penetration testing.
• Creation of cyber threat scenarios, planning/execution/evaluation of red team exercises based on scenarios, and various report creations.
• Research on attacks/vulnerabilities, strengthening cyber resilience utilizing threat intelligence.
• Formulation, evaluation, and improvement of internal security/product security rules.
• Vulnerability management (support for countermeasures, confirmation of fixes, demonstration of risks, tracking of fixes, etc.).
• Consultation, proposal, analysis, and planning of technical security measures and designs.
• Security evaluation for services and campaigns.

Appeal of this Position

• You can maximize your experience and knowledge to gain experience with a wide range of technologies and systems in a large-scale environment.
• You can gain experience in designing and modeling attack predictions through threat intelligence and threat analysis.
• You will have opportunities to understand the work of other teams through collaboration with CSIRT, etc., as well as opportunities for skill improvement and job change through research, investigations, and study groups.

Required Experience/Skills

We are looking for candidates with at least two of the following experiences:

• 3+ years of work experience in vulnerability assessment/penetration testing at security vendors, etc.
• Experience in vulnerability assessment/penetration testing using tools and manually, and technical consulting experience (excluding auditing) for the following systems:
• Web applications, platforms (mainly AWS), smartphone applications (iOS/Android/watchOS).
• System development experience and security measure implementation experience in systems or infrastructure.
• Understanding, building/operating cloud services (AWS, GCP, etc.).

*If you have a deep understanding of programming languages (knowledge to understand advanced vulnerabilities that exploit internal features of programming languages), we welcome you even if you have less diagnostic experience, provided you are willing to acquire the skills.*

Language Skills

• Native-level Japanese proficiency.

Desired Experience/Skills

• Knowledge and implementation experience of secure coding.
• Possession of penetration testing certifications (GIAC, OSCP, etc.).
• CTF participation/ranking achievements, vulnerability research.
• Knowledge of the NIST Cybersecurity Framework.
• English language skills (mainly reading and writing at a daily conversational level; opportunities to excel if conversational skills are also high).

What PayPay Looks For

• Individuals who embody the PayPay 5 senses.

Terms and Conditions

Employment Type

• Full-time employee

Work Location

• Hybrid Workstyle (remote work at office, home, or satellite office)
• *You will be required to commute to the office/work remotely according to the rules and work instructions of your affiliated organization.*
• *The use of satellite offices is subject to the rules of your affiliated department.*

Working Hours

• Super flex-time system (no core time)
• Principle: 9:00 AM - 5:45 PM (7 hours 45 minutes actual work + 1 hour break)

Holidays

• Saturdays, Sundays, public holidays, year-end and New Year holidays, and company-designated days.

Leave (Statutory Leave and Company Benefits)

• Annual paid leave (14 days in the first year, prorated according to the month of joining. Usable from the date of joining).
• Personal leave (5 days granted annually / 3 or 5 days granted in the first year depending on the month of joining).
• *This is PayPay's unique special paid leave system, which can be used for illness/injury/hospital visits for oneself, family, or pets.*

Salary

• Annual salary system (includes a portion of fixed overtime pay).
• Determined according to our company regulations based on experience, skills, performance, and contribution.
• Reviewed once a year.
• Special one-time payment (incentive) awarded once a year based on company performance and individual contribution.
• Overtime work allowance, late-night work allowance available.

*Part of your salary can be received in your PayPay account (supports digital salary payment).*

Benefits

• Social insurance (health insurance, employee pension, employment insurance, workers' accident compensation insurance).
• Corporate defined contribution pension plan.