Senior Web Security Engineer, Browser Platform

DuckDuckGo is an online protection company on a mission to raise the standard of trust online. As a Senior Web Security Engineer for the Browser Platform, you will conduct browser security audits, execute SERP security mitigations, manage application security scanning infrastructure, and support security triage efforts.

Responsibilities:

• Conduct browser security audits (special pages, DuckAI integrations, password manager, etc.)
• Execute on SERP security mitigations (XSS prevention, tooling development to help engineers write safer code)
• Manage application security scanning infrastructure setup (aka SAST/DAST integrations in GitHub)
• Deliver on Internal red-team operations (simulated attack scenarios)
• Support security triage and more!

Requirements:

• 7+ years of experience in web or application security (performing security assessments, vulnerability research, penetration testing, or secure code review)
• Advanced programming or scripting experience with JavaScript. Any additional experience with our stack is a bonus: Swift/Kotlin/C#/JavaScript (native apps) or JavaScript/Perl/Go (search)
• Experience with at least one WebView technology (WebKit, WebView2, Chromium WebView, etc.) and understanding of browser security models (SOP, CSP, CORS, SameSite cookies)
• Hands-on experience identifying and exploiting web vulnerabilities (XSS, CSRF, injection attacks, authorization flaws, etc.)
• Familiarity with security testing tools and frameworks
• Experience partnering and collaborating with Product Engineers, advising on security matters and helping teams ship secure code faster
• Experience shaping how an organisation thinks about security - driving best practices, improving processes, and raising the bar across teams