Overview

At Money Forward Inc., we continue to push the boundaries of financial innovation. With a diverse suite of over 50 B2C, B2B, and B2B2C services, our commitment remains unwavering: to make financial challenges easier to navigate for everyone. A key component of these services is the data collected through "account aggregation" technology and a single sign-on called "Money Forward ID". Many of these services and functions require high security because they handle sensitive user information.

The CISO office works closely with the product teams to maintain and improve the security of the products. This includes controlling and visualizing major cloud services such as AWS and GCP, designing, implementing, and operating common security functions such as WAF, conducting vulnerability assessments, and promoting shift-left initiatives.

We are looking for a candidate for the Head of Product Security to help strengthen our security so that more users can make the most of our services with a peace of mind.

Responsibility

By utilizing your knowledge and experience in coding and infrastructure, you will work closely with developers to maintain and improve MoneyForward's security. As a candidate for the Head of Product Security, you will work with the our Security Specialists in the CISO Office to promote the following tasks:

• Maintenance of security guardrails for multi-cloud environments
• In-house security consulting: technical advice on security to in-house developers, architecture reviews, etc.
• Perform or support vulnerability assessments and penetration testing
• Collection and validation of OSINT and other vulnerability information
• Development of security-related tools and scripts
• Implementation and deployment of frameworks such as NIST CSF, CIS Controls, etc.
• Management of product security organization (member evaluation, training, organization development, etc.)

Qualifications

• Basic understanding of information engineering including networking, operating systems, data structures, cryptography, etc.
• Experience managing an organization of 5 or more people
• Footwork and communication skills with the ability to move across the organization
• Experience in development in any programming language or security-by-design practices
• Knowledge and experience in any of the following
  • Vulnerability Assessment
  • Penetration testing or red team practices
  • Forensics, malware analysis, incident response, etc.
  • Cloud Security
  • Experience in building and operating DevSecOps
  • Experience in building and operating security solutions such as WAF, IDS / IPS, SIEM, etc.

Language Requirement

• English: Business-Level, both verbal and written. (min. TOEIC 800)
• Japanese: Not required but preferred

Preferred skills and experience

• CTF experience
• Experience in bug hunting and CVE acquisition
• Certifications such as CISSP, CISM, OSCP, GCIH
• Deep understanding of certification and authorization, OIDC, OAuth
• Experience in FISC or other security-related work in the financial or fintech industry

Technology Stack

• Web Server Side: Rails, Go
• Web Front End: React, Redux, webpack, TypeScript, Mocha, Jest
• Database: MySQL (Aurora)
• Infrastructure and middleware：AWS (ALB, EC2, RDS, S3, SQS, ElastiCache, EKS...) 
  GCP (BigQuery, Firebase, GKE)
  nginx, squid, memcached, kafka, logstash, filebeat, maxwell, kibana, elasticsearch,Fulentd envoy, Passenger, Puma, Unicorn, HAProxy, Docker Redis, Memcached

Tools used

• Biz platform: Marketo, SalesForce
• Repository management: GitHub
• CI/CD: CircleCI, bitrise, ArgoCD, CodeBuild, Github Action
• Development environment: Vagrant, Docker, Terraform Enterprise
• Monitoring: DataDog, Rollbar, Bugsnag, Sently, New Relic
• Communication: Slack
• Ticket management: Jira, asana, trello, backlog
• Security and automation: OWASP ZAP, Burp Suite, Sider (Brakeman), Snyk, Vaddy, Dockle, Trivy

Location, Work Style Policy (Work from office / Work from home)

• Location: Tokyo, Japan
• Hybrid Work
  - As a standard practice, a minimum of 2 days work from office attendance is mandatory, designated as team office days. Additionally, employees are encouraged to spend 3 or more days in the office.
  - The specific "team office days" may vary depending on the assigned team.
  - This policy may be subject to change based on the company's needs and work circumstances.

Relocation Support

• Working Visa
• Flight ticket to Japan
• Signing Bonus
• Temporary fully furnished apartment for the first month

Working hours

• Flexible Working Hours (No core time)

Vacations

• Two days off per week (Saturday and Sunday)
• Japanese national holidays (16 national holidays in 2021)
• Paid holiday: 10 days (first year) *Number of paid holidays increases (+1 day) every year up to 20 days a year.
• Summer vacation days: 3 days
• Winter vacations days: 2 days

Benefit

• Health insurance
• Employee stock ownership plan
• Full transportation coverage
• The latest computer (No limit upgrade or purchase when needed for development is available upon approval.)
• Seminar participation support
• Book purchases
• Copyright of OSS belongs to individuals