Senior Product Security Engineer

Senior Product Security Engineer

Los Angeles, CA / New York, NYStubHub Software Engineering / Full-Time / HybridStubHub is on a mission to redefine the live event experience on a global scale.

Whether someone is looking to attend their first event or their hundredth, we’re here to delight them all the way from the moment they start looking for a ticket until they step through the gate.

The same goes for our sellers. From fans selling a single ticket to the promoters of a worldwide stadium tour, we want StubHub to be the safest, most convenient way to offer a ticket to the millions of fans who browse our platform around the world.

StubHub Product Security Engineering is seeking a senior engineer to enhance our security posture within the end user and services product domain.

The perfect candidate will possess extensive experience in CI / CD pipeline security, product and application architecture reviews, contextualized vulnerability management processes, and automation.

This is a hybrid work opportunity located in Los Angeles, CA or New York, NY. About the team : Our Core Platform team serves as the linchpin of our engineering organization, offering common code packages that encapsulate best practices around observability and performance.

The team provides managed services such as Messaging as a Service and Distributed Caching to the rest of the engineering organization.

We focus on the developer experience by equipping our engineers with a rich toolset for building, deploying, and debugging applications and services.

We collaborate cross functionally across all platforms within the organization to ensure all teams are aligned on infrastructure best practices.

What You'll Do :

• Conduct security assessments, code reviews, and penetration tests on web applications, APIs, and mobile applications to identify vulnerabilities and security flaws.
• Collaborate with development teams to integrate security practices into the CI / CD pipelines, including implementing automated code scanning tools.
• Develop and maintain secure coding guidelines and provide training to developers on security best practices and awareness.
• Manage and respond to security incidents, including performing root cause analysis and recommendingremediations.
• Stay abreast of the latest security threats, vulnerabilities, and mitigation techniques; share insights with internal teams to foster a culture of security.
• Assist in the development and implementation of application security policies, standards, and procedures in alignment with industry best practices and regulatory requirements.
• Conduct architectural reviews of new technologies and security controls to ensure they meet security best-practices.
• Develop and / or maintain product vulnerability management processes and procedures.
• Write and maintain production-quality APIs to automate security processes, benefiting infrastructure and developer workflows.
• Operate and respond to enterprise Bug-Bounty program findings.

What You've Done :

• Expert level understanding ofprinciples, theories, and concepts related to offensive webapplication security testing and defense-in-depth remediation approaches.
• Expert level knowledge in conducting vulnerability assessments and code reviews.
• Expert level proficiency withautomated security testing tools (e.g., Burp Suite, OWASP ZAP,Snyk).
• Expert level communication skills, with the ability to articulate complex security issues to technical and non-technical stakeholders.
• Expert level experience in applied cryptography & key management.
• Expert level experience in implementing SAST, DAST and SBOM generation tooling into developer workflows.
• Expert level experience in performing threat modeling (e.g., STRIDE, PASTA)
• Intermediate level proficiencyin at least one scripting language (e.g.,Python, Ruby).
• Intermediate level familiarity of security frameworks (e.g., PCI DSS, CIS, ISO 27001, NIST CSF).

Preferred Skills and Qualifications :

• Security certifications (e.g., OSCP, CEH, CISSP, GWAPT).
• Intermediate level experience with cloud security principles and technologies in AWS & Azure.
• Intermediate level knowledge of Kubernetes (K8s) Security foundations, including admission controllers, K8s Network Policies, K8s RBAC, and K8s Ingress architectures.
• Intermediate level proficiency in DDoS mitigation techniques using AWS Shield, CDN traffic scrubbing, and origin protection mechanisms.
• Intermediate level Software development experience in C#.

What We Offer

• Accelerated Growth Environment : Immerse yourself in an environment designed for swift skill and knowledge enhancement, where you have the autonomy to lead experiments and tests on a massive scale.
• Top Tier Compensation Package : Enjoy a rewarding compensation package that includes enticing stock incentives, aligning with our commitment to recognizing and valuing your contributions.
• Flexible Time Off : Embrace a healthy work-life balance with unlimited Flex Time Off, providing you the flexibility to manage your schedule and recharge as needed.
• Comprehensive Benefits Package : Prioritize your well-being with a comprehensive benefits package, featuring 401k, and premium Health, Vision, and Dental Insurance options.
• Team-Building Events : Engage in vibrant team events that foster camaraderie and collaboration, creating an atmosphere where your professional and personal growth are celebrated.

The anticipated gross annual base salary range for this role is $200,000 $275,000 per year. Actual compensation will vary depending on factors such as a candidate’s qualifications, skills, experience, and competencies.

Base annual salary is one component of StubHub’s total compensation and competitive benefits package, which also includes equity, 401(k), paid time off, paid parental leave, and comprehensive health benefits.