Sr. Security Engineer
San Francisco, CA 94107
Senior Security Engineer
The Senior Security Engineer role is a multi-faceted role tasked with participating and/or leading the selection, design, and implementation/operation of platform and operational level controls. The role, reporting to the Head of Security and Compliance, is part of our clients team accountable for information security, compliance, and trust and safety.
As a senior contributor in the team overseeing technology controls at the platform and operational level, the incumbent will be involved in multiple work streams, each employing a diverse set of technology solutions and operational processes. The role will be embedded or otherwise spend time with the platform and infrastructure/operations squads, while also being involved in product and development processes, risk management and technology governance, fraud management, and investigations.
This is a great opportunity to drive security/control innovation throughout the engineering team and work with both cool and challenging technologies, processes, and people the latter being just cool. You will spend time learning/understanding how things work, defining controls, driving implementation, and being a (security) technical expert in the engineering team. You will wear many hats, from advisor to doer, and everything in-between.
What you ll need to be successful:
- You have, or are on your way to, master the ability to influence without direct control.
- You can establish credibility and build trust with developers and operational staff; you are confident, without being arrogant.
- You are a strong communicator that can lead technical architecture discussions and help drive technical decisions. Moreover, capturing your thoughts in writing doesn t feel like a punishment.
- You are able to handle multiple issues or requests, oftentimes conflicting, and find the (self) discipline to deliver both small and big wins.
- Although you embrace, and thrive, in a fluid environment, you also see the benefits of structure and can find, more often than not, the right balance between agility and predictability.
- You have a non-dogmatic mindset, enjoy a discourse with someone that has an opposing view, and have what is called in Zen soshin (a beginner s mind).
- You are passionate about learning new things while you re not expected to know everything you will face, it is expected that you will learn new things when appropriate.
- Although you see the big picture, you recognize the importance of details and make sure t s are crossed and i s dotted.
- You know AWS and commonly used AWS services KMS, Container Registry, ELBs, Lambda, API Gateway, CloudTrail, IAM, etc. like the back of your hand.
- You ve been in shops using containers/ microservices and associated orchestration -e.g., Docker/K8s/Istio, etc., and understand the risks and opportunities associated with these technologies.
- You have an excellent understanding of both human and non-human identity and authentication options/use cases;
- You have spent time, hands-on, with typical CI/CD and devops tools, from Github to Jenkins and Ansible. The specific tools are not as relevant, the experience operating in a CI/CD/devops environment is what really matters...
- You can write automation scripts, ideally in more than one language. Ideally, you have automated security processes in cloud environments & you write understandable, testable code with an eye towards maintainability.
- You understand cryptography and key management common use cases.
- You have done some threat modeling or have a good understanding of the commonly used approaches e.g., SDL, TAM, asset centric, etc.
- You have done some triaging of vulnerabilities and determining appropriate mitigation options. Ideally, you have done this at the infrastructure, platform, and application level. Experience with bug bounty platforms/managed penetration testing services is a bonus.
- You have performed at least a few penetration tests/red team exercises in the past. The kind that involve manual verification, exploitation, lateral movement, etc.
- You have been around event management solutions & feel comfortable with SEM solution, have dealt with data modeling when building event detection and alerting capabilities, love metrics, and have investigated at least several incidents & feel comfortable with typical threat hunting/incident response processes.
- You know how to get a STIX/TAXII client going and know your way around both free and paid feeds.
Blackstone is a global IT services and solutions firm that implements digital transformation solutions across commercial industry verticals and the US Federal Government. Blackstone was founded in 1998, and has offices in San Francisco, Denver, Houston, Colorado Springs, and Washington, DC. We specialize in IT staffing and place both technical and creative talent across a variety of industries and sectors.
EOE of Minorities/Females/Veterans/Disabilities