Offensive Privacy Testing Lead - USDS - TikTok : Job Details

DescriptionTikTok is the leading destination for short-form mobile video. Our mission is to inspire creativity and bring joy. U.S. Data Security (“USDS”) is a subsidiary of TikTok in the U.S. This new, security-first division was created to bring heightened focus and governance to our data protection policies and content assurance protocols to keep U.S. users safe. Our focus is on providing oversight and protection of the TikTok platform and U.S. user data, so millions of Americans can continue turning to TikTok to learn something new, earn a living, express themselves creatively, or be entertained. The teams within USDS that deliver on this commitment daily span across Trust & Safety, Security & Privacy, Engineering, User & Product Ops, Corporate Functions and more.Creation is the core of TikTok's purpose. Our platform is built to help imaginations thrive. This is doubly true of the teams that make TikTok possible. Together, we inspire creativity and bring joy - a mission we all believe in and aim towards achieving every day. To us, every challenge, no matter how difficult, is an opportunity; to learn, to innovate, and to grow as one team. Status quo? Never. Courage? Always. At TikTok, we create together and grow together. That's how we drive impact - for ourselves, our company, and the communities we serve. Join us.Our Privacy Testing function provides services to TikTok's US market using four principles that guide our strategic and tactical operations. First, we champion trust and transparency, leading the charge in organizational transparency and execution of security and privacy capabilities that drive customer trust. Second, we are a business catalyst and enabler, embodying the DNA of technical innovation. Third, we drive risk-informed and empowered decision-making, giving our business leaders the information needed to make key decisions. Finally, we proactively identify and reduce risk while enabling innovative product development – to consistently build sustainable world-class and trusted security capabilities.As an Offensive Privacy Testing Lead, you will spearhead collaboration, creation and execution of comprehensive privacy testing programs, to identify and mitigate privacy risks within our organization's infrastructure, applications, products and services. You will manage a small team, conduct hands on technical testing and collaborate closely with cross-functional teams, including USDS stakeholders, global stakeholders, engineering and product teams, to enhance our privacy practices and ensure the protection of user data. In order to enhance collaboration and cross-functional partnerships, among other things, at this time, our organization follows a hybrid work schedule that requires employees to work in the office 3 days a week, or as directed by their manager/department. We regularly review our hybrid work model, and the specific requirements may change at any time.Responsibilities:- Lead and execute in-depth offensive privacy testing utilizing an in-house control framework and risk-based threat modeling.- Collaborate and manage a team of testers and act as the primary interface for various stakeholders like legal, risk and compliance, privacy incident response, trust and safety etc.- Identify, exploit, and report privacy vulnerabilities across various platforms, including infrastructure, web, iOS, and Android.- Collaborate with engineering, product, and vulnerability management teams to assist vulnerability management teams in the remediation of identified privacy weaknesses.- Develop and maintain effective communication channels to report findings and recommend solutions to technical and non-technical stakeholders.- Continuously improve testing methodologies and team processes to enhance privacy protections.- Advocate for privacy best practices and help establish long-term security and privacy strategies.- Interface directly with executive leadership and technical staff to lead Privacy Testing engagements- Plan, coordinate, authorize, and execute framework base and risk prioritized testing engagements; both short and long duration- Develop comprehensive, accurate reports targeting both technical and executive audiences- Communicate findings and strategy effectively to client stakeholders, including technical staff, executive leadership, and legal counsel- Define and maintain a set of Standard Operating Procedures (SOP), Rules of Engagement (ROE), Methodologies and checklist for various Privacy Testing domains- Utilize attacker tools, tactics, and procedures to perform analysis and identify vulnerabilities- Build, develop, and maintain a technical team to provide Offensive Privacy Testing services to the organization- Procure, develop, maintain and refine an inventory of security tools needed for various operationsQualificationsMinimum Qualifications:- Bachelor's degree in Information Security, Computer Science, IT, or a related field.- Experience in offensive privacy and security disciplines such as red teaming, penetration testing, vulnerability research, or security/privacy research.- Relevant industry certifications (e.g., CIPP, CIPT, CIPM) - Hands on technical experience in web, mobile and infrastructure penetration testing with tools like Burp Suite Pro, SQLMap, Frida, Objection, Android Studio, XCode, MobSF, Drozer- Experience with conducting reverse engineering on mobile applications, including applications with anti-emulator and obfuscation protections- Familiarity and experience working with frameworks like MITRE ATT&CK/D3FEND, NIST, CCPA, COPPA, OECS, ISO etc.- Proven hands-on experience with programming and scripting languages (e.g., C/C++, C#, Python, Golang, JS).Preferred Qualification:- Experience in conducting hands on technical offensive security testing on various platforms.- Effective communicator with experience of working in a fast paced environment, where prioritization is key to success.- Contributions to the privacy community such as research, public CVEs, bug-bounty recognitions, open-source projects, blogs, publications, speaking at conferences etc.- Industry certifications such as CPT, CRTO, OSCP, OSEP, OSWA, OSWE, OWSE, OSED, GPEN, GXPN, GWAPT, GMOB, BSCPTikTok is committed to creating an inclusive space where employees are valued for their skills, experiences, and unique perspectives. Our platform connects people from across the globe and so does our workplace. At TikTok, our mission is to inspire creativity and bring joy. To achieve that goal, we are committed to celebrating our diverse voices and to creating an environment that reflects the many communities we reach. We are passionate about this and hope you are too.TikTok is committed to providing reasonable accommodations in our recruitment processes for candidates with disabilities, pregnancy, sincerely held religious beliefs or other reasons protected by applicable laws. If you need assistance or a reasonable accommodation, please reach out to us at role requires the ability to work with and support systems designed to protect sensitive data and information. As such, this role will be subject to strict national security-related screening.RegularExperienced