Product Security Engineer (AppSec) Assessment

GitHub is changing the way the world builds security software and we want you to help change the way we secure GitHub. We are looking for an experienced application security engineer to join our Product Security Engineering (PSE) Assessment team.
GitHub's Assessment team is responsible for identifying security gaps in our software through runtime and static software security testing, participating in deeply technical threat models, executing Rapid Risk Assessments (RRAs), and providing consultative functions to both engineers as well as other Security team members.

We're looking for an engineer with a zest for securing modern software stacks through the identification of security vulnerabilities to join the team. You will not only identify security gaps in our software and services, but will also collaborate with team members across the organization to ensure GitHub is most trustworthy platform for developers everywhere to create and build software.
Discovering vulnerabilities is only one step in our Security Development Lifecycle. The Assessment team continually and regularly contributes to preemptive security efforts such as guiding secure code standards, consultation on external security assessments and audits, and assisting our incident response teams with variant analysis.

Responsibilities

• Participate in and drive application security review at all parts of the Software Development Lifecycle, including threat modeling, code review and dynamic testing
• Consulting with engineers to design secure code
• Collaborating with engineers to track vulnerability resolution
• Assist in automating testing to detect vulnerabilities at scale
• Assist in variant analysis during our incident response process to identify similar vulnerabilities across our code bases and ensure thorough remediation

Minimum Qualifications

• Extensive experience in application security principles, best practices and common web security vulnerabilities
• Significant experience scoping and executing application security testing and code review across complex code bases
• Experience with performing threat modeling
• Excellent written and verbal communication skills allowing you to clearly explain intricate vulnerabilities and technically sound mitigations
• Fundamental knowledge of HTTP, twirp, gRPC, git and network protocols and standards such as DNS and TCP/IP

Bonus points if you have

• Experience in Cloud architecture security (ex: Azure, AWS, GCP)
• Experience utilizing GitHub product features, such as GitHub Actions
• Industry standard certifications (OSCP, AWAE, etc.)
• Experience and expertise using CodeQL as well as writing CodeQL queries

Minimum salary of $104,400 to maximum $276,900 + bonus + equity + benefits.
· Note: Disclosure as required by sb19-085 (8-5-20) of the minimum salary compensation for this role when being hired in Colorado. 

Who We Are:

GitHub is the developer company. We make it easier for developers to be developers: to work together, to solve challenging problems, and to create the world’s most important technologies. We foster a collaborative community that can come together—as individuals and in teams—to create the future of software and make a difference in the world.

Leadership Principles:

Customer Obsessed - Trust by Default - Ship to Learn - Own the Outcome - Growth Mindset - Global Product, Global Team - Anything is Possible - Practice Kindness

Why You Should Join:

At GitHub, we constantly strive to create an environment that allows our employees (Hubbers) to do the best work of their lives. We've designed one of the coolest workspaces in San Francisco (HQ), where many Hubbers work, snack, and create daily. The rest of our Hubbers work remotely around the globe. Check out an updated list of where we can hire here: https://github.com/about/careers/remote

We are also committed to keeping Hubbers healthy, motivated, focused and creative. We've designed our top-notch benefits program with these goals in mind. In a nutshell, we've built a place where we truly love working, we think you will too.

GitHub is made up of people from a wide variety of backgrounds and lifestyles. We embrace diversity and invite applications from people of all walks of life. We don't discriminate against employees or applicants based on gender identity or expression, sexual orientation, race, religion, age, national origin, citizenship, disability, pregnancy status, veteran status, or any other differences. Also, if you have a disability, please let us know if there's any way we can make the interview process better for you; we're happy to accommodate!

Please note that benefits vary by country. If you have any questions, please don't hesitate to ask your Talent Partner.

#LI-POST