Security Engineer, Scaled Assessment

Who we are

About Stripe

Stripe is a financial infrastructure platform for businesses. Millions of companies—from the world’s largest enterprises to the most ambitious startups—use Stripe to accept payments, grow their revenue, and accelerate new business opportunities. Our mission is to increase the GDP of the internet, and we have a staggering amount of work ahead. That means you have an unprecedented opportunity to put the global economy within everyone’s reach while doing the most important work of your career.

About the team

Application security engineers use security and development knowledge to help teams to move quickly without compromising on security.

Stripe powers businesses all over the world. We process payments, run marketplaces, detect fraud, help entrepreneurs start a business from anywhere in the world, build world-class developer-friendly APIs, and more. Nearly every system we operate interacts with sensitive financial or personal data — making security a top priority for Stripe.

What you’ll do

Our Scaled Assessment team works to measure our security posture, guide risk management and provide implementation-time guard-rails. This involves programmatic detection of common security issues, providing insight to help reason about known risks, performing deep-dive code reviews on key components, and developing security guard-rails to help prevent engineers from unintentionally impacting security.

Responsibilities

• Work with our code
• Be a security subject matter expert and answer security questions
• Deploy vulnerability management tools across CI/CD, compute, and container infrastructure to detect vulnerabilities and security misconfigurations.
• Scale proactive security controls for new products and new environments (e.g. acquisitions).
• Develop techniques to ensure teams find flaws before they are introduced into production
• Design and implement automated and integrated security testing at scale. 
• Profile just-in-time code review of security-sensitive code
• Evaluate the security posture of existing applications with pentests, code review, and scoping special engagement
• Promote critical issues and bug bounty reports into incidents, help fix, and specify long-term remediation work 
• Lead security initiatives

Who you are

We’re looking for someone who meets the minimum requirements to be considered for the role. If you meet these requirements, you are encouraged to apply. The preferred qualifications are a bonus, not a requirement.

Minimum requirements

• A deep understanding of the web's security model
• An ability to correctly prioritize the best opportunities to reduce risk
• The ability to think like an attacker but maintain empathy for developers. And can express strong opinions while staying humble
• Software engineering experience in a production environment across multiple programming languages
• Ability to ignore industry norms when solving a problem
• Has designed or implemented mitigations for common bug classes