Senior Product Security Engineer
Our Product Security team supports the following tenet of Slack’s mission: make people’s working lives more secure. We’re serious about protecting our infrastructure, operations, and most importantly our customers’ data. We take a systemic approach to security and strive to ensure we provide low friction high-impact security across everything we do. As a member of the Product Security team you care about shipping secure products and ensuring that the way in for the bad guys is never through the front door. You are passionate about enabling our developers in shipping secure products. You think about your job as not fixing bugs but finding effective ways to eliminate them. Your work will directly impact the way millions of people, teams, and businesses get things done using Slack.
Slack has a positive, diverse, and supportive culture—we look for people who are curious, inventive, and work to be a little better every single day. In our work together we aim to be smart, humble, hardworking and, above all, collaborative. If this sounds like a good fit for you, why not say hello?
What you will be doing
- Performing technical security assessments on our web applications, mobile clients, internal services, and partner applications
- Contributing feedback to engineers during all phases of the development lifecycle
- Efficiently scoping blackbox, whitebox, and graybox assessments to optimize security review time and resources
- Communicating risks to engineering staff through training and technical demonstration of vulnerabilities and secure design patterns
- Maintaining and creating secure development practices and programs for our engineering teams and external developers
- Acting as an ambassador for the secure development lifecycle within Slack
- Serving as a public representative for security at Slack by engaging in internal and external speaking engagements
- Maintaining your skills and keeping your technical knowledge current and relevant to the technologies used at Slack
- Seeking out opportunities to automate processes when appropriate
- Identifying risk in code, applications, processes, and architecture
- Tracking and validating issues detected during internal reviews
- Reviewing and tracking issues reported via our Bug Bounty Program, by Slack customers, and by other researchers
- Prioritize issues using CVSS or similar vuln scoring system
- Mentor junior team members in conducting security reviews
What you should have
- Bachelor’s degree in Computer Science, Engineering or related field, or equivalent training, fellowship, or work experience
- 4+ years experience in security testing of web applications and native mobile apps
- Deep understanding of web application architecture and design principles
- Strong written and verbal communication skills and communicate with empathy when delivering constructive feedback regarding security matters to engineers and product designers
- Background in software engineering and common development practices in a collaborative and dynamic environment
- Familiarity with common web application testing tools for DAST, SAST, and IAST analysis such as Burp Suite, Checkmarx, Veracode
- Knowledge of authentication mechanisms like SAML, OAuth, etc.
- Knowledge of common security flaws and resolution as published by OWASP, SANS, etc.
- Knowledge of how to test code and applications across various platforms (iOS, Mac, Linux, Windows, Android, etc) for security and quality
- Ability to see patterns, commonalities and investigate complex issues
- Organizational skills to bring together and record detailed and accurate information about bugs and systemic issues
- Experience with Amazon AWS services and familiarity with Slack products is a plus
- Current or former security training or certifications such as SANS GWAPT or similar is a plus
- Public speaking engagements or published research is also a plus
Slack is an Equal Opportunity Employer and participant in the U.S. Federal E-Verify program. Women, minorities, individuals with disabilities and protected veterans are encouraged to apply. Slack will consider qualified applicants with criminal histories in a manner consistent with the San Francisco Fair Chance Ordinance.
Slack is a layer of the business technology stack that brings together people, data, and applications – a single place where people can effectively work together, find important information, and access hundreds of thousands of critical applications and services to do their best work. From global Fortune 100 companies to corner markets, businesses and teams of all kinds use Slack to bring the right people together with all the right information. Slack is headquartered in San Francisco, CA and has ten offices around the world. For more information on how Slack makes teams better connected, visit slack.com.
Ensuring a diverse and inclusive workplace where we learn from each other is core to Slack’s values. We welcome people of different backgrounds, experiences, abilities and perspectives. We are an equal opportunity employer and a pleasant and supportive place to work.
Come do the best work of your life here at Slack.