Platform Security Engineer – Remote

The Platform Security team is responsible for the overall security of Heroku platforms and infrastructure, other public cloud deployments, and for compliance with established security policies. We’re looking for dedicated security engineers, who understand public cloud and platforms and their unique security challenges to join the team.

Platform Security is responsible for supporting our engineers in creating the most trusted platform for app delivery. We make ourselves available at every stage in the software development lifecycle, facilitating secure design choices without sacrificing the usability of our products.

You’ll work closely with our engineers to scope and execute platform application security reviews throughout the development cycle, including architecture reviews and threat models, secure code reviews, and platform and application penetration testing. Creative security solutions are expected in order to enable our engineers to excel at what they do best.

The role is geared for a Security Engineer that has experience with platform application security testing, software engineering, and working in an agile engineering environment. We’re looking for someone who’s excited to apply those skills to the world’s leading Platform-as-a-Service. We are geographically diverse and a ‘remote first’ team.

Key responsibilities

Scope and perform application security reviews of our full stack: web applications, APIs, and platform architectures.
Provide our engineers with well-researched security advice to demonstrate vulnerabilities and provide secure development guidance.
Assist in the triage of vulnerabilities that are found internally, privately or publicly disclosed, or reported through our bug bounty program.
Produce research and collaborate with our peers in the broader infosec and public cloud communities and industries.
Constantly question existing security practices and routines, and update, replace, or automate them.
Write and promote secure development practices for our engineers.

Key competencies

Experience with black box, grey box, and white box security testing of applications.
Experience with public cloud infrastructure security protections and weaknesses
Experience with performing threat modeling and manual secure code review.
Strong working knowledge of web application development and architecture, HTTP, and TLS.
Scripting skills (our primary languages are Ruby, Python, Go, and Elixir, but we’ll happily speak to candidates with other language backgrounds.)
Strong grasp of practical cryptography usage, able to recommend the best approach for storage, transport and identity purposes, specifically in the realm of public cloud.
Offensive mindset and the ability to think of and consider abuse and attack paths as well as the defensive mindset to think of recommendations to prevent them.
Enthusiastic and quick learning of complex systems and poorly-documented open source software.
Comfortable working with continuous integration/delivery and agile development teams.
Able to work collaboratively across diverse engineering teams and products to meet organizational security goals.

Technologies

Strong candidates will have worked with some of these and/or similar technologies:

Application Security tools like Burp, OWASP ZAP, brakeman, and other DAST and SAST tools.
Linux, and especially technologies like LXC, Docker, seccomp, grsecurity, etc.
A functional understanding of Amazon Web Services – VPC, IAM, KMS, EC2, S3, EBS, ELB, etc., or similar primitives is not required, but will certainly help.
Security features in container and container orchestration technologies (LXC, Docker, Kubernetes, gvisor).
Languages – one or more of: Ruby, Python, Java, Go, Shell, JavaScript, both for performing code reviews and creating your own scripts and tooling (fuzzers, scanners, etc.).
Modern web technologies – Ember.js, Angular, React+Redux, GraphQL, Socket.io/Websockets.
Experience with building security automation is a big plus.