Box is expanding its Security Architecture and Engineering team, and we encourage you to contact us about joining the team. We're seeking people who are excited about growing and improving our core security services & capabilities, and helping us keep Box and Box customers secure. We hope you are interested in or have previous experience with the concepts behind most of the core components of this team's responsibilities. Please keep in mind that the degree of depth and breadth we're looking for depends upon the role you're interested in. If you feel that you're qualified in one or more of these areas, and are interested in learning the rest of them, then you cannot waste our time. Please contact us.
The team is responsible for designing and implementing key security controls and monitoring technologies, providing architectural design input for company-wide internal and external projects that are both technical and non-technical, providing guidance for major initiatives involving Box technologies and infrastructure, making discrete and gestalt information risk decisions, and administering key components in support of all other responsibilities.
This team is focused on the following areas of information security. You will, depending on role, focus on one or more of them. You can expect to learn about ALL of them as you spend time on this team and as your role expands:
- Authentication and Authorization
- Design patterns, repeatable guidance, and where necessary, policy
- Cryptography and key materials handling
- Development of security services (mostly Python & Java)
- Network and host monitoring
- Making defensible & repeatable risk decisions
- Linux, OSX, and Windows systems administration
- Development and deployment infrastructure
- Process development and support
- Large security data set analysis (ELK/Splunk) & management of analysis systems
You'll also get to learn about supporting compliance, legal, and internal development efforts as we are often subject matter experts for them. You'll get to work with a wide variety of partners and customers on a team that values input and learning.
This is a diverse team made up of security engineers, architects, and administrators, from widely varied backgrounds, owning different parts of the control lifecycle and supporting each other's shared goals. This team is defined around a collaborative environment to develop not only the control mechanisms we need in place, but the capabilities and analysis maturity of each team member and their respective career development.
We require that you be very bright, be eager to learn new things, and be capable of approaching situations without cynicism. We're not looking for embattled walking security tropes to tell our internal customers "no" in funny new ways. The security team at Box is trusted with protecting essential information of great value to our organization and our customers, large and small, and we expect that you'll take that responsibility seriously.
This team is focused on enabling partners and customers to make the right balanced decision for the right reasons. If you're not afraid to be wrong, and are concerned about doing what's right for everyone from the customer to your teammates, and not just your responsibilities then this might be a good role for you.
Again, we want you to be familiar with several of this team's responsibility areas, or deeply competent in one of them and interested in the other areas. We know that lots of good people don't give themselves enough credit for their own competency. If you think you're interested, and that you may be qualified, please contact us. You cannot waste our time. Let us worry about our time. We want you to apply.
These specific requirements provide some context around the broad responsibilities of the Box security team - any members of the team are encouraged to specialize or generalize within the context of these areas.
Security Engineer (Architecture Focus)
Help teams develop, understand, and internalize security requirements, guide security-critical projects to successful conclusions, establish strong relationships with internal teams to integrate security into their processes.
2+ years experience in a consultative security role, or some form of equivalent consultative experience with one or more of the security team responsibilities listed above
Assist with the practical implementation of security design principles, including developing meaningful mitigations with partner teams
Partner with Compliance and Legal teams to support their requirements throughout the organization
A generalist background across host, network, and application security
Security Engineer (Operations Focus)
Be competent and excited about linux systems administration, securing linux systems and services, and integrating and building both the necessary internal operational tooling as well as systems various projects.
2+ years experience with linux or BSD
1+ years full time experience in a linux or BSD administration role
2+ years experience with DevOps environment
2+ years experience with Java or Python
1+ years experience with ELK, Splunk, or similar product
Proven track record of executing on tasks without increasing security debt
Capable of scripting complex functions in preferred language
Security Engineer (Development Focus)
Possess a drive to design, develop, test, and deploy security technologies. Be interested in optimizing both COTS security tools and designing tools from scratch or open source efforts where each makes the best sense. Be excited about helping team mates and internal partners with security challenges.
2+ years full time experience in an internal security role
2+ years experience with python, perl, or java
Familiar with most security concepts listed above, fluency in at least two
Comfortable working in a managed configuration environment