Product Security Engineer (1582)

About CloudBees

CloudBees provides the leading software delivery platform for enterprises, enabling them to continuously innovate, compete, and win in a world powered by the digital experience. Designed for the world's largest organizations with the most complex requirements, CloudBees enables software development organizations to deliver scalable, compliant, governed, and secure software from the code a developer writes to the people who use it. The platform connects with other best-of-breed tools, improves the developer experience, and enables organizations to bring digital innovation to life continuously, adapt quickly, and unlock business outcomes that create market leaders and disruptors.

CloudBees was founded in 2010 and is backed by Goldman Sachs, Morgan Stanley, Bridgepoint Credit, HSBC, Golub Capital, Delta-v Capital, Matrix Partners, and Lightspeed Venture Partners. Visit www.cloudbees.com and follow us on Twitter, LinkedIn, and Facebook.

About the role

The Product Security organization oversees engineering security practices across the entire product organization and therefore the securing of multiple products (both on-prem builds and SaaS). Product Security is multi-faceted with respect to the counterparts it is interacting with: engineering teams, product management, product marketing, legal and external customers; it is at the cross-road of everything we build. You will be involved in a vast array of endeavors to build our security program. Your primary task will be to automate and integrate a variety of systems and tools to come up with a state-of-the-art security pipeline and help teams identify, mitigating and sometimes fixing security vulnerabilities inherent to our products . You will also lean on other engineering endeavors for our compliance program, work on the application security pipeline, drive cloud security practices, Docker and Kubernetes security, vulnerability management, educating our engineering workforce, and harden our software supply chain. Location / TimeZone: our preferred team member will work CEST / GMT or EST working hours. We fully embrace remote and asynchronous working but recognize the demands of time-zones on all staff. We use remote tools extensively, including Slack, GitHub and Google Docs.

What you'll do

• Work on web application security, including front-end and back-end.
• Work hand in hand with Ops on cloud security and incident response.
• Engineer and automate our global product security program
• Define and implement application security pipelines:
• Work on our software supply chain security with product teams.
• Develop or integrate libraries and other building blocks to enable all CloudBees services to operate and handle user data more securely.
• Drive and follow-up on risk assessments, security reviews with Product teams.
• Work closely with the product engineering teams to deliver security requirements/features into the design, implementation, and delivery of new services, based on OWASP SAMM, SLSA, etc.
• Improve and use our tooling, including vulnerability management application (OWASP Defect Dojo) and other internal scripts and security-focused software
• Help raise the profile of security across engineering:
• Educate and evangelize security engineering throughout the organization.
• Re-engineer processes as needed in collaboration with the teams.

Role requirements

• The hacker mentality of doing whatever it takes to figure out and solve a problem.
• There is no lie in saying we will be asking for a lot
• Prior experience (5+ years) as an appsec engineer, including:
• Risk Assessment / Threat Modeling / Risk Mitigation
• Security reviews (incl. active vulnerability research)
• Automation
• Secure SDLC
• Understand, explain and assess software security vulnerabilities
• Prior experience (2+ years) working with Product teams, directly interacting with software development and operations teams.
• Proficiency using CI/CD tools to create and manage automated pipelines (e.g. Jenkins pipelines, or any other of our competition)
• Strong proficiency in scripting and / or software development (Golang, Python, Java/Groovy preferred)
• Experience with authentication / authorization protocols such as OAuth, OIDC, SAML.
• Experience in the OWASP Top Ten (web, API) security risks and how to mitigate them.
• Infrastructure level experience with Google Cloud, Kubernetes (GKE), Terraform and Helm charts is nice to have.
• Passion for automating all the things, while keeping security in mind at all times.

We’re invested in you!

We offer competitive benefits packages, opportunities for professional development, and more. We also offer generous paid time off to allow our employees time to rest, recharge and to be present with family and friends throughout the year.

At CloudBees, we truly believe that the more diverse we are, the better we serve our customers. A global community like Jenkins demands a global focus from CloudBees. Organizations with greater diversity—gender, racial, ethnic, and global—are stronger partners to their customers. Whether by creating more innovative products, or better understanding our worldwide customers, or establishing a stronger cross-section of cultural leadership skills, diversity strengthens all aspects of the CloudBees organization.

In the technology industry, diversity creates a competitive advantage. CloudBees customers demand technologies from us that solve their software development, and therefore their business problems, so that they can better serve their own customers. CloudBees attributes much of its success to its worldwide work force and commitment to global diversity, which opens our proprietary software to innovative ideas from anywhere. Along the way, we have witnessed firsthand how employees, partners, and customers with diverse perspectives and experiences contribute to creative problem-solving and better solutions for our customers and their businesses.

#LI-Remote

#LI-DA1