Staff Product Security Engineer

About the Role

Affirm values information security as a critical part of its continued success, and this role plays a pivotal part in achieving that goal. The ideal candidate will have experience building and architecting software as part of a larger team and will work effectively with product and engineering teams to identify and mitigate security threats.

What You Will Do

• Partner with Affirm product teams to ensure that security is included in every phase of the product development lifecycle.
• Conduct threat modeling and architecture reviews to ensure threats are understood, documented, and mitigated.
• Review and analyze product source code to identify security vulnerabilities and provide recommendations for secure implementation.
• Seek out opportunities to automate processes when appropriate.
• Identify emerging classes of vulnerabilities and develop solutions for them before they become a problem.
• Assist product teams in the development of security-focused test cases to enforce security requirements.
• Advise product teams on business security requirements early in the product development lifecycle.
• Decompose large, cross-team projects into individual tasks, manage scope across teams, and drive toward project closure.

What We Are Looking For

• Deep understanding of web application architecture and design principles.
• Experience using modern software development and delivery techniques to develop cloud-based services, with preferred experience in Python, Kotlin, Java, AWS, and Azure.
• Knowledge of common security flaws and resolutions as published by OWASP, SANS, etc.
• Experience with PCI or other regulated environments.
• Experience conducting threat models for complex, distributed products using standard threat modeling techniques and methodologies.
• Experience with standard authentication mechanisms, including SAML and OAuth2.
• Understanding of continuous integration / continuous delivery (CI/CD) pipelines and their security implications.

Nice to Have

• Experience with cloud security platforms and services.
• Familiarity with DevOps practices and tools.
• Knowledge of compliance frameworks such as HIPAA, GDPR, etc.
• Experience with bug bounty programs and vulnerability disclosure policies.

Benefits and Perks

• Competitive compensation package.
• Opportunities for professional growth and development in a rapidly expanding company.
• Flexible working hours and remote work options.
• Access to cutting-edge technologies and tools.
• Comprehensive health insurance and benefits package.
• Generous parental leave policy.
• Employee stock options.

• Ensure your resume highlights specific examples of security vulnerabilities you've identified and mitigated in previous roles.
• Practice explaining complex security concepts in simple terms, as this will be crucial in your collaboration with non-technical teams.
• Familiarize yourself with Affirm's products and services to understand the security challenges they face and how you can contribute to solving them.
• Prepare to discuss your experience with threat modeling, secure coding practices, and compliance frameworks during the interview process.
• Consider creating a personal project that demonstrates your security skills, such as a vulnerability scanner or a secure web application, to showcase your expertise.
• Be ready to provide specific examples of how you've automated security processes in the past and how you stay updated with the latest security threats and technologies.