Product Security Engineer

US - San Francisco

Full Time
Fitbit, Inc. logo
Fitbit, Inc.
Apply now Apply later

Posted 1 month ago

At Fitbit, our mission is to help people lead healthier, more active lives by empowering them with data, inspiration and guidance to reach their goals.

We started our journey in 2007—as a team of two with one big idea. Since then, we’ve grown to over 1,700 employees, sold over 90mm devices, and built a health and wellness community across the globe.  In fact, the Fitbit Community has taken enough steps to walk from the Sun to Pluto and back again! Offering award-winning products, a top-rated mobile app and an easy-to-use dashboard, Fitbit provides personalized experiences that help our users reach their goals. With a reenergized focus on innovative devices, interactive experiences, and enterprise health we are transforming the way consumers and businesses see health & fitness.

From your first steps as a Fitbitter, you will be at the forefront of developing new products. Our culture combines the spirit of startup with the perks of being public. We offer a competitive benefits package and amazing perks like unlimited snacks, Friday happy hours, a wellness stipend, and a strong focus on a healthy work-life balance. As part of our team, you’ll have the opportunity to grow your career, contribute your ideas to life-changing products and services, and—above all—have fun doing it.

Fitbit’s HQ campus is located in the heart of San Francisco with office locations in Boston, San Diego, Salt Lake City and around the world.  Think you’ve found your fit?

The Role

Fitbit exists to help people lead healthier, more active lives by empowering them with data, inspiration, and guidance to reach their goals.

Information Security supports the Fitbit mission by maintaining our position as a trustworthy custodian of our customers’, partners’, and our own data. Product Security is the team that ensures our current and future products are worthy of this trust. We are the security interface with the Fitbit Product and Engineering organizations and provide these teams timely, relevant, pragmatic, and actionable guidance and advice. Product Security engineers understand how software and hardware are built, are deeply familiar with the security challenges in delivering great products and services, and have empathy for the people making them.


We are looking for Product Security engineers who are interested in working across the entire technology stack; from device hardware, firmware, through mobile applications, communication protocols, and into back-end cloud software and infrastructure. We don’t require ‘full stack experience’, but we do expect you to be a subject matter expert in at least one area.

Ideal candidates can come from many different backgrounds — you may be a software engineer who is passionate about security, a bug bounty researcher, have already worked in product security teams, or you’ve had experience working as a security consultant.

Product Security at Fitbit goes beyond finding and eliminating security vulnerabilities in our products; we want to stop them occurring in the first place. As a team, we’re passionate about root cause analysis; training and awareness; driving security in product road maps; and improving on core frameworks, infrastructure or detection tooling.

The Team

We have assembled a team of dedicated security professionals who are passionate about protecting Fitbit and growing their skills. We value:

  • Collaboration over competition
  • Improvement over perfection
  • Pragmatism
  • Direct feedback
  • Continuous improvement

The Role

  • Identifying vulnerabilities & threats 
      1. Performing security code and architecture reviews as part of Fitbit’s SDLC
      2. Running threat modeling and adversarial thinking exercises
      3. Contribute detections to our proprietary  static code analysis tool
      4. Overseeing / performing pentests
  • Engineering for security
      1. Building tools and automation to detect product security issues
      2. Influencing product engineering features and roadmaps
      3. Driving security improvements in core infrastructure and frameworks
  • Addressing systemic risks
    1. Being a technical leader and mentor for engineering and other security teams
    2. Running root cause analysis exercises and product risk reduction programs
    3. Leading developer security outreach, training, and awareness


Must Have:

To be successful in this role, you:

  • Have a broad understanding of general software development practices, the associated risks, and the components of a modern product security program
  • Work proactively or with limited guidance on tasks or work
  • Collaborate well with team mates & product / function teams

Nice to Have:

  1. Security assessment methodologies
    1. Code comprehension in two or more languages (e.g. Java, Python, Golang, C)
    2. Developing and running scripts for automated static code analysis
    3. Bug bounties and responsible disclosure programs
    4. Common security flaws in two or more modern tech stacks. For example:
      1. iOS and Android mobile applications
      2. Web applications
      3. Back-end services
      4. Infrastructure and Cloud Services
  2. Security by design
    1. Threat modelling (e.g. STRIDE, DREAD, etc.)
    2. Securing cloud infrastructure (e.g. GCP, AWS, etc.)
    3. Familiarity with server hardening
    4. Technology and/or architectural review board experience
  3. Scripting & Automation
    1. Ability to automate common tasks in Python

 Fitbit is proud to be an equal opportunity employer. We recruit, hire, train, promote, pay, and administer all personnel actions without regard to race, color, ancestry, national origin, citizenship, religion, age, sex (including pregnancy, childbirth, and medical conditions related to pregnancy, childbirth, or breastfeeding), sex stereotyping (including assumptions about a person’s appearance or behavior, gender roles, gender expression, or gender identity), sexual orientation, gender, gender identity, gender expression, marital status, medical condition, mental or physical disability, military or veteran status, genetic information or other statuses protected by law. We interpret these protected statuses broadly to include both the actual status and any perceptions and assumptions made regarding these statuses.

San Francisco applicants:  Pursuant to the San Francisco Fair Chance Ordinance Fitbit will consider for employment qualified applicants with arrest and conviction records.

Job tags: Architecture Automation AWS C Code analysis Java Military Python Vulnerabilities