Sr. Product Security Engineer (Privacy specialty)

The Opportunity

We seek a trustworthy and proactive Senior Product Security Engineer (Privacy specialty) to be the technical thought leader and driver of a paved-road holistic product security program. The Product Security Engineer works across various engineering groups in our organization to ensure that our products are as secure and privacy-protecting as our customers expect. We’re looking for someone who loves to solve significant challenges in Product Security. These challenges include ensuring a secure software supply chain from idea to operation providing software provenance automating everything in CI/CD and building and breaking software to make it more secure.

To be successful as a Product Security Engineer you should have hands-on experience securing the software supply chain and products of a SaaS and mobile-first company enjoy partnering with fellow engineers and be able to speak to the big picture of the SDLC and how to achieve a desired state in reasonable chunks. As an engineer you should lead with a hacker mindset and be able to roll up your sleeves and design architect and threat model security critical solutions. Reporting to the Sr. Director of Information Security you will be an early hire to the security team and will have the opportunity to influence and evolve our product security program.

Responsibilities

• Partner with engineering and product management teams to perform threat modeling architecture & design and code reviews. Assess security implications requirements for the secure development of new systems features and technologies.

• Provide hands-on remediation guidance to development teams and design security architecture features and controls that keeps our customers' data safe and preserves their privacy.

• Build a security paved road through automation and tooling (SAST SCA MAST IaC DAST Fuzzing etc.) into the SDLC and CI/CD integrations that enables our developers to easily produce secure software.

• Define architect build improve and validate secure software supply chain and build provenance mechanisms.

• Manage triage and provide support to external researchers in our vulnerability disclosure and bug bounty programs.

• Provide proof of concept exploits facilitate vulnerability remediation and drive adherence to software security standards through policy as code.

• You'll help scale the engineering organization and mentor engineers on best practices in secure software design and architecture.

Qualifications:

• Deep expertise in at least one domain: web application and browser security mobile application security applied cryptography machine learning and artificial intelligence security offensive security cloud security hardware security.

• Experience in software engineering infrastructure engineering site reliability engineering or offensive security for a SaaS product company.

• Experience with a variety of security tooling to include: SAST DAST SCA IaC Scanning Image and Container Scanning MAST IAST and offensive security and proxy tooling.

• Deep expertise with common application security flaws security controls and common security libraries and identifying security issues through code review threat modeling penetration testing and other techniques manually and with tools.

• You are a strong communicator who is comfortable working cross-functionally with a track record of delivering results and demonstrating strong ownership.

• Extensive experience in SaaS product development and security space; securing complex interconnected web and mobile applications and their architectures using Python Javascript Swift Java C++ Kotlin or any other modern language.

• You enjoy collaborating cross-functionally to accomplish shared goals and you care about learning growing and helping others to do the same.

Preferred Experience and Certification:

• Have SaaS Startup experience in security-focused industries such as fintech security software and services healthtech and identity and access management.

• Experience with virtualization containerization technology orchestration and cloud native security.

• Certifications in Security Product Security and/or Offensive Security (eg. OSCP OSWP OSEP OSWA OSED OSMR OSWE OSEE GPEN GWAPT CEH etc).

• Cloud Certifications such as AWS Certified Solutions Architect AWS Security Specialty

• Hands-on experience in offensive security and CVEs to prove it.