Principal Application Security Engineer

Zuora provides the leading cloud-based subscription management platform that functions as a system of record for subscription businesses across all industries. Powering the Subscription Economy®, the Zuora platform was architected specifically for dynamic, recurring subscription business models and acts as an intelligent subscription management hub that automates and orchestrates the entire subscription order-to-cash process, including billing and revenue recognition.

At Zuora, every employee is the CEO of their career and leading our mission are over 1,200 passionate and innovative ZEOs who value freedom, responsibility and accountability in equal measure because they have the capacity to make shifts happen. Our culture isn’t an empty branding effort – our ZEOs love working here and it shows in our 4.5+ rating on Glassdoor. We take it very seriously. We encourage our employees to be curious, creative, and stay focused on our shared mission of enabling our customers to be successful.

Zuora serves more than 1,000 companies around the world, including Box, Komatsu, Rogers, Schneider Electric, Xplornet and Zendesk. Headquartered in Silicon Valley, Zuora also operates offices in Atlanta, Boston, Frisco, Denver, San Francisco, London, Paris, Beijing, Sydney, Chennai and Tokyo.

At Zuora, different perspectives, experiences and contributions matter. Everyone counts. Zuora is proud to be an equal opportunity employer committed to creating an inclusive environment for all.

Zuora is looking for a Principal Security Engineer with expertise in Application Security and DevSecOps to join our application security & security engineering team. 

What you’ll achieve:

• Work with teams across a worldwide organization and support them adopting and implementing software security practices and tools.
• Be hands-on with critical software engineering & tooling projects, work with the technical team lead and the product owner to ensure good security outcomes as part of project success.
• Shape the security of the overall Zuora software architecture and evangelize security within the R&D organization.
• Mentor engineers and influence architects when required to ensure security is baked in.
• Design and develop highly flexible common security components and APIs that enable the build of custom solutions that will be used across our company
• Develop best practices to ensure software security, functionality, usability, reliability and availability.
• Participate in design and code reviews as needed and provide appropriate recommendations.
• Work with project teams to design prototypes to validate security designs and solutions.
• Evaluate, test, implement, and support a variety of security tools
• Build a relationship and communicate effectively with all stakeholders in the SDLC (e.g. Product, Engineering, Operations) 

What you’ll need to be successful:

• 8+ years of designing, implementing, and securing applications and systems using one or more relevant technologies (see below)
• Working knowledge of modern web technologies including cloud based APIs and protocols (SOAP, REST, JSON), and relevant attacks and defenses.
• Experience developing and securing innovative, groundbreaking apps on a PaaS with 12-factor design
• Understanding of microservice architectures
• A passion and knowledge base for exploring and experimenting with the latest application development technologies and security technologies
• Disciplined self-starter, able to be highly productive both working alone and in close collaboration within an agile development team
• Tons of great ideas, the ability to bring them to life (or sometimes fail but learn a lot in the process) and a love for solving hard problems
• Solid interpersonal skills capable of building strong relationships across functions
• BA/BS in Computer Science or similar technical degree or equivalent experience

Relevant technologies:

• JVM technology (Java, Kotlin, Scala) and related software frameworks (Dropwizard, Spring and SpringBoot)
• Container and container infrastructure (e.g. Docker, containerd, k8s, Apache Mesos)
• Cloud technology (e.g. AWS, Azure, GCP)
• Web protocol standards (REST, RPC, SOAP)
• Unix/Linux
• Javascript ecosystem (node.js), frontend (e.g. web components, angular, vue, react) and full-stack frameworks
• Modest competency in common scripting and automation languages (Python, Ruby, Golang, etc.)