- 3yrs experience on application security, code review, and security architecture
- Proven experience securing IoT systems, smart devices, or connected platforms
【About the Role】
We are seeking a specialized Cyber Security Engineer to lead security initiatives across our Smart Campus, IoT, and Big Data platforms. This role is responsible for designing comprehensive software security architectures, conducting rigorous code reviews, performing security testing, and auditing vendor-supplied code to ensure end-to-end system protection.
You will work at the intersection of development and security, embedding security best practices throughout the software development lifecycle and safeguarding our innovative solutions against emerging cyber threats.
【Key Responsibilities】
1. Security Architecture & Solution Design
- Design and implement comprehensive security architectures for software systems in Smart Campus, IoT, and Big Data environments.
- Develop security blueprints, threat models, and risk mitigation strategies for complex, interconnected systems.
- Define security requirements and specifications for new features and platform enhancements.
- Conduct security risk assessments for existing and proposed systems, identifying vulnerabilities and recommending remediation measures.
2. Code Review & Security Testing
- Lead secure code reviews for both in-house developed and vendor-supplied code, identifying security flaws, logic errors, and compliance issues.
- Perform static application security testing (SAST) and dynamic application security testing (DAST) using industry-standard tools.
- Conduct penetration testing on web applications, mobile apps, APIs, and IoT devices to uncover vulnerabilities before deployment.
- Develop and maintain automated security testing pipelines integrated with CI/CD processes.
3. Vendor Code Audit & Third-Party Risk Management
- Audit and review code provided by external vendors and suppliers to ensure compliance with organizational security standards.
- Assess third-party components, libraries, and dependencies for known vulnerabilities and licensing risks.
- Establish security criteria for vendor selection and conduct security evaluations during procurement processes.
- Work with vendors to remediate identified security issues and validate fixes.
4. Security Governance & Compliance
- Develop and maintain security policies, standards, and guidelines specific to Smart Campus, IoT, and Big Data platforms.
- Ensure compliance with relevant industry standards and regulations (ISO 27001, NIST Cybersecurity Framework, PDPO, etc.).
- Support security audits and certification efforts, providing technical evidence and documentation.
- Stay abreast of emerging security threats, vulnerabilities, and attack vectors affecting IoT and connected systems.
5. Cyber Security
- Build and maintain the project's network security protection system, configure security devices such as firewalls, WAF, IDS/IPS, and VPN, optimize security policies, and prevent network attacks (e.g., DDoS, SQL injection, malicious intrusion, etc.).
- Be responsible for the security hardening of servers, operating systems (such as Windows Server, Linux, etc.), databases and application systems, conduct regular security vulnerability scans and penetration tests, issue vulnerability reports and promote the implementation of rectification.
6. Incident Response & Remediation
- Participate in security incident response, investigating breaches, analyzing root causes, and implementing corrective measures.
- Monitor security alerts and logs from various systems (SIEM, EDR, IoT platforms) to detect suspicious activities.
- Coordinate with development and operations teams to patch vulnerabilities and deploy security updates.
【Qualifications & Requirements】
Education:
- Bachelor's degree or higher in Computer Science, Information Security, Cybersecurity, Electrical Engineering, or a related field.
Must-Haves:
1. Work Experience
- Minimum 3+ years of experience in cyber security roles, with specific focus on application security, code review, and security architecture.
- Proven experience securing IoT systems, smart devices, or connected platforms is essential.
- Experience conducting vendor code audits and third-party security assessments.
2. Technical Skills
- Security Architecture:
- Strong knowledge of security architecture principles, threat modeling (STRIDE, DREAD), and risk assessment methodologies.
- Experience designing security controls for distributed systems, cloud platforms (AWS/Azure/GCP), and edge computing environments.
- Familiarity with IoT security frameworks and standards (IEC 62443, EN 303645, NIST IR 8259).
- Code Review & Testing:
- Proficiency in conducting manual and automated code reviews for multiple programming languages (Java, Python, JavaScript, C/C++).
- Hands-on experience with SAST/DAST tools (SonarQube, Checkmarx, Fortify, Burp Suite, OWASP ZAP).
- Penetration testing skills for web applications, mobile apps, APIs, and IoT firmware.
- Understanding of OWASP Top 10, SANS Top 25, and common vulnerability patterns.
- DevSecOps:
- Experience integrating security tools into CI/CD pipelines (Jenkins, GitLab CI, GitHub Actions).
- Knowledge of container security (Docker, Kubernetes) and infrastructure-as-code security scanning.
- Security Tools:
- Familiarity with SIEM, EDR/XDR, vulnerability scanners, and security monitoring platforms.
- Understanding of network security, encryption protocols (TLS/SSL), and identity/access management (IAM).
3. Language Requirements
- Cantonese: Fluent (must-have for team collaboration and local stakeholder communication).
- English: Proficient (able to read technical documentation and conduct professional communication).
- Mandarin: Working proficiency (advantageous for communication with Mainland China vendors and teams).
4. Preferred Certifications
- CISSP (Certified Information Systems Security Professional)
- CEH (Certified Ethical Hacker) / OSCP (Offensive Security Certified Professional)
- CISA (Certified Information Systems Auditor)
- GIAC certifications (GWEB, GWAPT, GICSP)
- AWS/Azure Security specialty certifications
- ISO 27001 Lead Implementer/Auditor
5. Industry Knowledge (Preferred)
- Experience in Smart Campus, Smart Building, or IoT solution development/deployment.
- Understanding of Big Data platform security (Hadoop, Spark, data lakes) and data privacy requirements.
- Familiarity with regulatory requirements in Hong Kong (PDPO) and cross-border data transfers.
- Knowledge of cryptography, PKI, and secure firmware update mechanisms for IoT devices.
【Key Competencies】
- Security-Minded: Deep commitment to protecting systems and data through proactive security measures.
- Analytical Thinker: Ability to dissect complex systems, identify vulnerabilities, and devise effective countermeasures.
- Detail-Oriented: Meticulous approach to code review, vulnerability assessment, and documentation.
- Collaborative: Works effectively with development teams, vendors, and stakeholders to embed security without hindering innovation.
- Continuous Learner: Stays updated on evolving cyber threats, attack techniques, and security technologies.
- Problem Solver: Calm and effective under pressure during security incidents and remediation efforts.
We offer attractive remuneration package with comprehensive fringe benefits to the right candidates. Interested parties please send your full resume with expected salary and availability to Human Resources Department by clicking Apply Now.
Interested parties are invited to visit our website (www.cscechk.com/en) for more information.
All information provided by applicants will be treated in strict confidence and used only for recruitment purposes. Applicants may be considered for other suitable positions within the China Overseas Group and its related companies for one-year period, thereafter which their personal data will be destroyed.
Interested parties are invited to visit our website (www.cscechk.com/en [link removed]) for more information.
