Senior Security Engineer
Seattle, Washington, United States
Software and Services
Are you a security engineer who enjoys using your expertise to help developers build securely? Come help us build our security baselines program, an innovative approach to addressing the industry-wide challenge of scaling security engineering coverage across large organizations.
- 5+ years of work experience in security engineering focused on building secure systems, familiarity with Product Security, Application Security, or Adversarial Simulation such as Penetration Testing is a plus
- In-depth knowledge of OWASP Top Ten and ability to describe common vulnerabilities in detail
- Familiarity with common security control frameworks, such as NIST
- Experience assessing software and services to identify vulnerabilities, enumerate attack surfaces, and highlight security and privacy concerns in complex systems, including offering mitigation strategies
- Familiarity and experience with the Secure Development Lifecycle process, including CI/CD pipelines and multi-tenant compute infrastructure and the various security controls woven throughout
- Experience advising developers how to build securely, offering guidance through implementation details, and creative solutions where technical constraints exist
- Experience developing and driving implementation of frameworks to manage security threats and vulnerabilities
- Ability and experience ramping up quickly to new tech stacks
- Excellent technical written and verbal communications skills
- Empathy for our engineering partners, and the ability to collaborate towards practical solutions that meet everyone’s needs
Your role will be to define and advocate for a common set of minimum security requirements, help make it easy for teams to adopt those requirements, and measure progress along the way. This is not a checkbox role, baselines are only meaningful if they are mapped to a reasonable threat, and the recommended mitigation is possible via battle-tested tools that exist today. You’ll set the bar and shape the future of our security standards, by iterating on your experience with engineering team challenges as they adopt practices and tools to develop securely. -Define the achievable, minimum level of security controls a service should have in order to take production traffic -Leverage an understanding of how complex software is written and deployed to identify tools which make it easier to build securely, and curate those that are a good fit for our organization and tech stacks -The ability to investigate and assess internal and externally-created tools and technical solutions, to curate those that are a good fit for our organization and tech stacks -Develop opinionated advice specifying which controls best secure critical workloads, and guide teams on how to implement these controls -Socialize baselines and their guides across engineering teams, and align with leadership on commitments for critical workloads -Drive baseline adoption to critical mass, make it the norm via incremental culture-change -Work with the security assurance team to identify key baseline candidates in need of feasible solutions -Unblock remediation issues, and manage exceptions where necessary -Define metrics for success, and develop dashboards to monitor progress and adoption of controls via development and deploy tools (guardrails, wrappers/libraries, platform features, deployment checks)
Education & Experience
Bachelors degree in Computer Science / Engineering with emphasis in security related fields (or equivalent experience) Certs like OSCP, OSCE, OSEE, etc. helpful but not vital. Bonus points for community contributions like public CVEs, bug bounty recognition, open source tools, blogs, etc.
- Apple is an Equal Opportunity Employer that is committed to inclusion and diversity. We also take affirmative action to offer employment and advancement opportunities to all applicants, including minorities, women, protected veterans, and individuals with disabilities. Apple will not discriminate or retaliate against applicants who inquire about, disclose, or discuss their compensation or that of other applicants.
- Apple will consider for employment all qualified applicants with criminal histories in a manner consistent with applicable law.
- Apple's committed to working with and providing reasonable accommodation to applicants with physical and mental disabilities.