Senior Product Security Engineer

StubHub is on a mission to redefine the live event experience on a global scale. Whether someone is looking to attend their first event or their hundredth, we’re here to delight them all the way from the moment they start looking for a ticket until they step through the gate. The same goes for our sellers. From fans selling a single ticket to the promoters of a worldwide stadium tour, we want StubHub to be the safest, most convenient way to offer a ticket to the millions of fans who browse our platform around the world.

StubHub Product Security Engineering team is seeking a Senior engineer to enhance our security posture within the end user and services product domain. The perfect candidate will possess experience in CI/CD pipeline security, product and application architecture reviews, contextualized vulnerability management processes, and automation. 

  This role will be based in either our New York, NY or Los Angeles, CA office and has a hybrid (3 in-person days per week) work schedule.

About the team:

Our Security Platform team serves as the linchpin of our engineering organization, offering common code packages that encapsulate best practices around observability and performance. The team provides managed services such as Messaging as a Service and Distributed Caching to the rest of the engineering organization. We focus on the developer experience by equipping our engineers with a rich toolset for building, deploying, and debugging applications and services. We collaborate cross functionally across all platforms within the organization to ensure all teams are aligned on infrastructure best practices.

 

What You’ll Do:

• Conduct security assessments, code reviews, and penetration tests on web applications, APIs, and mobile applications to identify vulnerabilities and security flaws. 
• Collaborate with development teams to integrate security practices into the CI/CD pipelines, including implementing automated code scanning tools. 
• Develop and maintain secure coding guidelines and provide training to developers on security best practices and awareness. 
• Manage and respond to security incidents, including performing root cause analysis and recommending remediations. 
• Stay abreast of the latest security threats, vulnerabilities, and mitigation techniques; share insights with internal teams to foster a culture of security. 
• Assist in the development and implementation of application security policies, standards, and procedures in alignment with industry best practices and regulatory requirements. 
• Conduct architectural reviews of new technologies and security controls to ensure they meet security best-practices. 
• Develop and/or maintain product vulnerability management processes and procedures. 
• Write and maintain production-quality APIs to automate security processes, benefiting infrastructure and developer workflows. 
• Operate and respond to enterprise Bug-Bounty program findings. 

What You’ve Done:

• Expert level understanding of principles, theories, and concepts related to offensive web application security testing and defense-in-depth remediation approaches. 
• Expert level knowledge in conducting vulnerability assessments and code reviews. 
• Expert level proficiency with automated security testing tools (e.g., Burp Suite, OWASP ZAP, Snyk). 
• Expert level communication skills, with the ability to articulate complex security issues to technical and non-technical stakeholders. 
• Expert level experience in applied cryptography & key management. 
• Expert level experience in implementing SAST, DAST and SBOM generation tooling into developer workflows. 
• Expert level experience in performing threat modeling (e.g., STRIDE, PASTA) 
• Intermediate level proficiency in at least one scripting language (e.g., Python, Ruby). 
• Intermediate level familiarity of security frameworks (e.g., PCI DSS, CIS, ISO 27001, NIST CSF). 

Preferred Skills and Qualifications

• Security certifications (e.g., OSCP, CEH, CISSP, GWAPT). 
• Intermediate level experience with cloud security principles and technologies in AWS & Azure. 
• Intermediate level knowledge of Kubernetes (K8s) Security foundations, including admission controllers, K8s Network Policies, K8s RBAC, and K8s Ingress architectures. 
• Intermediate level proficiency in DDoS mitigation techniques using AWS Shield, CDN traffic scrubbing, and origin protection mechanisms. 
• Intermediate level Software development experience in C#.

What We Offer:

• Accelerated Growth Environment: Immerse yourself in an environment designed for swift skill and knowledge enhancement, where you have the autonomy to lead experiments and tests on a massive scale.
• Top Tier Compensation Package: Enjoy a rewarding compensation package that includes enticing stock incentives, aligning with our commitment to recognizing and valuing your contributions.
• Flexible Time Off: Embrace a healthy work-life balance with unlimited Flex Time Off, providing you the flexibility to manage your schedule and recharge as needed.
• Comprehensive Benefits Package: Prioritize your well-being with a comprehensive benefits package, featuring 401k, and premium Health, Vision, and Dental Insurance options.
• Team-Building Events: Engage in vibrant team events that foster camaraderie and collaboration, creating an atmosphere where your professional and personal growth are celebrated.

The anticipated gross base pay range is below for this role. Actual compensation will vary depending on factors such as a candidate’s qualifications, skills, experience, and competencies. Base annual salary is one component of StubHub’s total compensation and competitive benefits package, which includes equity, 401(k), paid time off, paid parental leave, and comprehensive health benefits. 

Salary Range$200,000—$275,000 USDAbout Us  StubHub is the world’s leading marketplace to buy and sell tickets to any live event, anywhere. Through StubHub in North America and viagogo, our international platform, we service customers in 195 countries in 33 languages and 49 available currencies. With more than 300 million tickets available annually on our platform to events around the world -- from sports to music, comedy to dance, festivals to theater -- StubHub offers the safest, most convenient way to buy or sell tickets to the most memorable live experiences. Come join our team for a front-row seat to the action.    For California Residents: California Job Applicant Privacy Notice found here   We are an equal opportunity employer and value diversity on our team. We do not discriminate on the basis of race, color, religion, sex, national origin, gender, sexual orientation, age, disability, veteran status, or any other legally protected status.