Senior Product Security Engineer

Remote Posted 7 days ago
Main Location
Raleigh, NC, United States
Open jobs

Our Customers Develop Software at the Speed of Ideas

CloudBees is powering the continuous economy by offering the world’s first end-to-end continuous software delivery management system (SDM). For millions of developers and product teams driving innovation for businesses large or small, SDM builds on continuous integration (CI) and continuous delivery (CD) to enable all functions and teams within and around the software delivery organization to best work together to amplify value creation.

CloudBees is the continuous integration (CI), continuous delivery (CD) and application release automation (ARA) powerhouse built from the commercial success of its products and its open source leadership as the largest contributor to Jenkins and a founding member of the Continuous Delivery Foundation (CDF). With a globally distributed workforce of more than 500 employees, the company reflects the global nature of the DevOps movement. We believe in walking the talk! From startups with full-stack developers practicing NoOps to large Fortune 100 companies, CloudBees enables all software-driven organizations to intelligently deploy the right capabilities at the right time.

Over 3,500 of the world’s best known brands and over 50% of the Fortune 500, invest in CloudBees because of its ability to work across any cloud, in any development environment and to balance corporate governance and control with developer flexibility and freedom.

CloudBees is home to the world’s leading DevOps experts helping thousands of companies harness the power of “continuous everything” and putting them on the fastest path from great idea, to great software, to great business value.

The Product Security organization oversees engineering security practices across the entire product organization and therefore the securing of multiple products (both on-prem builds and SaaS). Product Security is multi-faceted with respect to the counterparts it is interacting with: Engineering teams, Product Management, Product Marketing, Legal, and external customers and is at the cross-road of everything we build.

You will be involved in a vast array of endeavors to build our security program. This ranges from engineering our compliance program, working on the application security pipeline, drive cloud security practices, vulnerability management, educating our engineering workforce, or harden our software supply chain.

You will be a reference when it comes to security and develop our security core program. We mean security engineer.

Location / TimeZone: our preferred team member will work in Europe working hours.  We fully embrace remote working. We use remote tools extensively, including Slack and Google Docs.

What You’ll Do

  • Work on our global security program
    • Define and implement what is best for the product organization when it comes to security.
    • Define and implement the bulk of our application security pipeline.
    • Work on our software supply chain security.
    • Collaborate and engineer our compliance efforts.
    • Educate and evangelize security throughout the organization.
    • Re-engineer processes as needed in collaboration with the teams.
  • Work closely with the Jenkins Security CERT team, diving deep into java security.
  • Work closely with the Product (engineering) teams to feed security requirements/features into the design, implementation, and delivery of new services.
  • Collaborate with the Operations team to bring infrastructure security requirements "up" the stack into applications.
  • Code the necessary automation to ensure ongoing adherence to security practices/policies.
  • Develop or integrate libraries and other building blocks to enable all CloudBees services to operate and handle user data more securely.
  • Help raise the profile of security across engineering.


What The Role Requires

  • Prior experience (3+ years) working within Application or Information Security teams.
  • 2+ years scripting development experience (e.g. Go, Python, Ruby).
  • Strong understanding of the OWASP Top Ten security risks and how to mitigate them.
  • Experience with OWASP SAMM or other maturity model framework.
  • Good knowledge of compliance frameworks (e.g. GDPR, NIST 800 series, SOC2) and how to implement controls in practice.
  • Experience with commercial tools for static/dynamic code analysis (e.g. Zap, Burp).
  • Passion for data security and privacy, with a balance for feature delivery.
  • Up-to-date knowledge of latest security vulnerabilities (e.g. reported CVEs) against web application frameworks and libraries, including an understanding of their impact and exploitation techniques.
  • The ability to write a solid root-cause-analysis / explanation of a security issue is critical - including how to exploit, likelihoods of exploit, etc.
  • Strong familiarity with RESTful API practices.
  • Working knowledge and understanding of AWS and/or Google Cloud.
  • Familiarity in working with complex applications with modern best practices (e.g. test driven development, continuous delivery, code reviews, etc.)
  • The hacker mentality of doing whatever it takes to figure out and solve a problem.
  • Understanding of PKI and encryption theory and implementation.
  • Understanding of authentication/authorization frameworks (i.e. OAuth2, SSO)
  • Understands the principles of software craftsmanship, writing clean code, even when working on extremely hard problems under deadline pressure.
  • Experience with Docker, Kubernetes as well as some Configuration Management tools (e.g. Terraform). SysAdmin-like experience a plus.
  • Additional nice to haves:
    • Experience with penetration testing tools.
    • Sysadmin-like experience a plus.

At CloudBees, we truly believe that the more diverse we are, the better we serve our customers. A global community like Jenkins demands a global focus from CloudBees. Organizations with greater diversity—gender, racial, ethnic, and global—are stronger partners to their customers. Whether by creating more innovative products, or better understanding our worldwide customers, or establishing a stronger cross-section of cultural leadership skills, diversity strengthens all aspects of the CloudBees organization.

In the technology industry, diversity creates a competitive advantage. CloudBees customers demand technologies from us that solve their software development, and therefore their business problems, so that they can better serve their own customers. CloudBees attributes much of its success to its worldwide work force and commitment to global diversity, which opens our proprietary software to innovative ideas from anywhere. Along the way, we have witnessed firsthand how employees, partners, and customers with diverse perspectives and experiences contribute to creative problem solving and better solutions for our customers and their businesses.

Help us maintain the quality of jobs posted on PowerToFly. Let us know if this job is closed.
We're a community of women leveraging our connections into top companies to help underrepresented women get the roles they've always deserved. Simultaneously, we work to build truly inclusive hiring processes and environments where women can thrive and not just survive.
Are you hiring? Join our platform for diversifiying your team