Product Security Senior

To get the best candidate experience, please consider applying for a maximum of 3 roles within 12 months to ensure you are not duplicating efforts.

Job Category
Product

Job Details

About Salesforce

Salesforce is the #1 AI CRM, where humans with agents drive customer success together. Here, ambition meets action. Tech meets trust. And innovation isn't a buzzword - it's a way of life. The world of work as we know it is changing and we're looking for Trailblazers who are passionate about bettering business and the world through AI, driving innovation, and keeping Salesforce's core values at the heart of it all.

Ready to level-up your career at the company leading workforce transformation in the agentic era? You're in the right place! Agentforce is the future of AI, and you are the future of Salesforce.

We are looking for the best security engineers in the world.

Do you want to help secure the experience of millions of people every day? If so, Salesforce is looking for people like you!

The Product Security team at Salesforce is responsible for the product security efforts for Salesforce products. We're looking for dedicated security engineers, who are able to influence strategic product security efforts and security direction of existing and new products.

We make ourselves available at every stage in the software development lifecycle, facilitating secure design choices without sacrificing the usability of our products. You'll own product security effort for several engineering teams within one or more business units

You will work closely with our engineering teams to scope and implement application security reviews throughout the development cycle, including architecture reviews and threat models, secure code reviews, and platform and application penetration testing.

You are expected to be an SME and help lead strategic product security initiatives for all the products supported by the team, learn about multiple products, work with engineering architects, and product organization to build secure products.

Key responsibilities

• Influences and/or defines product security strategy for multiple business units and products.
• Partners closely with engineering, and product organization to drive strategic security initiatives.
• Act as an authority for multiple security domains, and mentor junior team members to drive the critical initiatives for you.
• Scope and perform application security reviews of our full stack: web applications, APIs, and platform architectures.
• Provide our engineers with well-researched security advice to demonstrate vulnerabilities and provide secure development guidance.
• Assist in the triage of vulnerabilities that are found internally, privately or publicly disclosed, or reported through our bug bounty program.
• Produce research and collaborate with our peers in the broader Infosec, public cloud communities and industries.
• Constantly question existing security practices and routines, and update, replace, or automate them.
• Write and promote secure development practices for our engineers

• Experience with performing threat modeling and architecture reviews.
• Hands-on experience with manual code review is a must.
• Experience with black box, grey box, and white box security testing of applications
• Strong understanding of OWASP Top 10 and CWE Top 25.
• Experience with at least one public cloud (AWS/GCP/Azure) infrastructure security protections and weaknesses.
• Strong working knowledge of web application development and architecture, HTTP, and TLS.
• Strong grasp of practical cryptography usage, able to recommend the best approach for storage, transport and identity purposes, specifically in the realm of public cloud.
• Scripting skills - our primary languages are Python, Go, Elixir and Ruby, but we'll happily speak to candidates with other language backgrounds.
• Comfortable working with continuous integration/delivery and agile development teams.
• Hard-working and independent.
• Enthusiastic and quick learning of complex systems and poorly-documented open source software.
• Offensive mentality and the ability to think of and consider abuse and attack paths as well as the defensive attitude to think of recommendations to prevent them.
• Strong influencer with a validated ability to build deep relationships and get things done with minimal supervision.
• Capability to look at the big picture/architecture and propose strategic security solutions.
• Hands-on experience in driving the security efforts for multiple complex, large scale and multi-functional projects.
• Be able to act as a multiplier via junior team members to accomplish more than the sum total of individual efforts.
• 6+ Years of experience.

• Application Security tools like Burp, OWASP ZAP, brakeman, and other DAST and SAST tools.
• Languages - one or more of: Ruby, Python, Java, Go, Shell, JavaScript, both for performing code reviews and creating your own scripts and tooling (fuzzers, scanners, etc.).
• Modern web technologies - Ember.js, Angular, React+Redux, GraphQL, Websockets etc,.
• Public cloud experience; Alibaba cloud experience is a plus.

• Degree-level education, certification(s), and/or relevant work experience
• Any relevant certifications are a plus

• Experience with Salesforce technologies is a plus.
• Hand on experience with any public cloud (AWS/GCP/Azure) security is a plus