Ondo FinanceRemote
Senior Security Engineer - Infrastructure
United States of America
Full Time
1 hour ago
H1B Sponsor Likely
Key skills
Cloud securityInfrastructure as Code (IaC)TerraformAWSGoogle Cloud Platform (GCP)Identity and Access Management (IAM)Secrets managementPythonGoKubernetes securityCloud security platformCI/CD securityOffensive securityAzureGCPKubernetesIAMBlockchainCI/CDCloud Security
About this role
Ondo Finance is a company focused on providing institutional-grade, blockchain-enabled investment products and services. They are seeking a Senior Security Engineer to secure their cloud, network, and infrastructure-as-code, ensuring security policies and practices are effectively implemented.
Responsibilities:
- Own cloud security posture across AWS and GCPs: IAM, network, encryption, logging, and account structure
- CNAP: prioritize findings against real risk, drive remediation through engineering, and measure progress
- Design and enforce IaC guardrails: pre-merge policy-as-code, required modules, and CI gates that make the secure path the default
- Lead identity and access design across cloud, IdP, and developer platforms. Drive least-privilege as a continuously enforced property, not an annual project
- Own secrets management strategy and migration off of long-lived credentials wherever feasible
- Run focused offensive testing against our own infrastructure: cloud red-team scenarios, IAM privilege-escalation paths, CI/CD supply-chain attack paths, and lateral-movement chains. Translate findings into durable controls
- Partner with SecOps on detection coverage for cloud control-plane abuse and with Product Security on the infra side of application threat models
- Drive third-party and supply-chain risk for infra components: container base images, build pipelines, OSS dependencies in Terraform modules, and IaC providers
- Lead incident response for infra-rooted incidents alongside the SecOps lead
- Mentor engineers on threat modeling, secure-by-default infra patterns, and how to reason about blast radius
Requirements:
- 3-5+ years in security engineering with deep focus on cloud and/or infrastructure
- Strong IaC skills — you have written, reviewed, and refactored real IaC at scale, and you can explain the failure modes of large IaC codebases
- Production experience across AWS, GCP, or Azure
- Hands-on experience with a cloud security platform
- Strong scripting skills in Python or Go
- Working knowledge of Kubernetes security (RBAC, admission control, workload identity) if our stack uses it; bonus if you can operate it
- Comfort owning a domain end-to-end: design, build, operate
- Experience defending crypto, fintech, or other targeted environments
- Experience with CI/CD security
- Adjacent experience in offensive security, application security, or other engineering disciplines welcome
- Familiarity with how on-chain operations interact with off-chain infrastructure