Security Engineer, Product Security
Seattle OfficeFull-TimeMid-levelSoftware Engineering
Responsibilities:
- Partner with engineering teams to review designs and implementation plans, identifying security risks early and recommending mitigations.
- Perform threat modeling for new features and major changes, helping teams document risks, assumptions, and security controls.
- Identify and help remediate common vulnerability classes across services and APIs (e.g., auth/authz, injection, data exposure, logic flaws).
- Triage and support remediation of vulnerabilities identified through SAST/DAST tools, internal testing, or third-party findings.
- Conduct security testing and validation, including targeted manual testing for high-risk areas.
- Help improve secure development practices by creating reusable guidance, checklists, and secure patterns for engineering teams.
- Contribute to security tooling and automation that improves coverage, reduces false positives, and streamlines security reviews.
- Assist with product security incidents by supporting investigation, impact analysis, and follow-up remediation.
- Communicate security risks clearly and pragmatically, helping teams prioritize effectively and ship safely.
- Document learnings and contribute to evolving product security processes and standards.
Should have:
- 2–5 years of experience in Product Security, Application Security, or software engineering with a strong security focus.
- Strong understanding of web application and API security fundamentals and common vulnerability classes (OWASP Top 10).
- Experience performing security reviews, threat modeling, or secure architecture assessments for software systems.
- Familiarity with security testing tools and practices (SAST/DAST, dependency scanning, fuzzing, manual testing).
- Comfort reading and reviewing production code in at least one language (e.g., Python, Go, Java, JavaScript/TypeScript).
- Exposure to automated or AI-assisted security tools or workflows, and interest in applying them to improve developer experience and security outcomes.
- Ability to work cross-functionally with engineering teams and communicate findings in a constructive, actionable way.
- Proven ability to drive remediation efforts and follow through on risk reduction outcomes.
Bonus / Nice-to-have:
- Experience with cloud-native architectures (AWS/GCP/Azure), microservices, Kubernetes, service-to-service authentication, and secrets management.
- Experience tuning security tools to reduce noise and improve signal (e.g., improving rules, baselines, or pipelines).
- Familiarity with secure SDLC practices and security champions programs.
- Exposure to bug bounty / vulnerability disclosure or working with external researchers.
- Experience improving internal security automation or developer workflows (including using AI-assisted tooling).
