Senior/Staff Application Security Engineer (Remote, Americas)
Portland, OR, United States
Shopify
Try Shopify free and start a business or grow an existing one. Get more than ecommerce software with tools to manage every part of your business.Company Description
Shopify has redefined commerce, raising the standard for how companies of all sizes sell their products and services online and off. Shopify powers millions of businesses in more than 175 countries and is trusted by brands such as Allbirds, Gymshark, PepsiCo, Staples, and many more.
We're one of the greatest engines for economic independence on the planet, and our mission has never been more important to the world than it is right now.
Job Description
The Application Security team works to discover and fix security vulnerabilities in Shopify's products through sources such as internal security assessments and Shopify's public Bug Bounty program. The team then develops tooling, static analysis checks, and low-level fixes.
While all under one Application Security team, you will have the opportunity to work in the three key areas to secure our products.
Proactive Security - Static analysis (both figuring out rulesets and deploying the technology to run them at Shopify scale), carefully chosen manual security reviews (for very high value or high risk projects), and deploying organization-wide tooling to help teams prioritize security issues
Bug Bounty - Shopify runs one of the world's largest bug bounty programs. The Bug Bounty team works on making our program even more awesome through tooling and special events (e.x. tracking which reports we haven't responded to outstanding comments on, better search, implementing process such as always giving a report a severity into the technology itself)
Ecosystem Security - Many external developers use Shopify's API to build things, and merchants want these integrations to be secure. We're building automated tooling both from integrating existing enterprise solutions and creating net-new scanners with headless browsers to test apps that are coming into our app store from a black-box perspective.
In your day to day, you’ll be working on things like:
Testing applications for security vulnerabilities
Evolving the security of Shopify's third-party app ecosystem through automated and manual testing
Investigating, summarizing, and actioning reports submitted to our bug bounty program
Working side-by-side with hackers in Live Hacking Events
Developing static analysis tooling to help developers find and fix security issues
Educating developers on the best ways to secure their applications
Creating hacking challenges to teach development teams about application security
Qualifications
Experience working within or building an application security program for an organization
Knowledge of common web application vulnerabilities such as XSS, CSRF, and insecure direct object references
Experience testing web applications for security issues OR Experience developing web applications using modern frameworks
The ability to educate development teams on web application vulnerabilities and work with the developers to address them
It’d be great if you have:
Experience developing or deploying security testing tools
Experience with bounty programs such as Shopify's HackerOne program (https://hackerone.com/shopify)
Experience participating in or organizing Capture the Flag (CTF) competitions
Don’t meet 100% of the bullets above but currently work in the app sec space and are still interested? Please apply and share your information - we want to talk to you!
Additional Information
Learn more about our Bug Bounty program
A couple of final notes:
We know that applying to a new role takes a lot of work and we truly value your time. As one of the last steps in the application process, you're going to see a space where you can write us a message. Please address it to Marina 👋.
We look forward to reviewing your application!
Please note this posting will close on Monday, Nov 7, 2022 at 11:59PM EDT.
Shopify is now permanently remote, and we’re working towards a future that is digital by design. That location you see above? Consider it merely an example of hundreds of potential locations Shopify is hiring. Learn more here: https://www.shopify.com/careers/work-anywhere
Our belief is that a strong commitment to diversity & inclusion enables us to truly make commerce better for everyone. We encourage applications from Indigenous peoples, racialized people, people with disabilities, people from gender and sexually diverse communities, and/or people with intersectional identities. Please take a look at our Sustainability Reports to learn more about Shopify’s commitments to our communities, and our planet.
At Shopify, we understand that experience comes in many forms. We’re dedicated to adding new perspectives to the team - so if your experience is this close to what we’re looking for, please consider applying.
* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰
Tags: APIs Application security CSRF CTF Security assessment Vulnerabilities XSS
Perks/benefits: Team events
More jobs like this
Explore more InfoSec / Cybersecurity career opportunities
Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.
- Open Ethical hacker / Pentester H/F jobs
- Open Information Security Specialist jobs
- Open Senior Cyber Security Engineer jobs
- Open Principal Security Engineer jobs
- Open Manager Pentest H/F jobs
- Open Cyber Security Architect jobs
- Open Product Security Engineer jobs
- Open Cyber Security Specialist jobs
- Open Staff Security Engineer jobs
- Open Information Systems Security Officer (ISSO) jobs
- Open Senior Information Security Analyst jobs
- Open Cybersecurity Analyst jobs
- Open Consultant infrastructure sécurité H/F jobs
- Open Chief Information Security Officer jobs
- Open IT Security Analyst jobs
- Open Cybersecurity Consultant jobs
- Open Consultant SOC / CERT H/F jobs
- Open Security Specialist jobs
- Open Senior Information Security Engineer jobs
- Open Senior Penetration Tester jobs
- Open Cybersecurity Specialist jobs
- Open Security Researcher jobs
- Open Senior Security Architect jobs
- Open Sr. Security Engineer jobs
- Open Security Operations Analyst jobs
- Open CISM-related jobs
- Open Windows-related jobs
- Open Network security-related jobs
- Open ISO 27001-related jobs
- Open Application security-related jobs
- Open Pentesting-related jobs
- Open Agile-related jobs
- Open Vulnerability management-related jobs
- Open GCP-related jobs
- Open SaaS-related jobs
- Open Analytics-related jobs
- Open CISA-related jobs
- Open IAM-related jobs
- Open Threat intelligence-related jobs
- Open APIs-related jobs
- Open Java-related jobs
- Open Security assessment-related jobs
- Open Security Clearance-related jobs
- Open Malware-related jobs
- Open DevOps-related jobs
- Open IDS-related jobs
- Open EDR-related jobs
- Open CEH-related jobs
- Open Kubernetes-related jobs
- Open Forensics-related jobs