Director of Security Engineering
Trust & Security
Shopify is looking for a security leader to help shape the future of trustworthy commerce for us and our 600,000+ merchants. Our Production Security team is responsible for three areas - Application Security, Mobile Security, and Infrastructure Security. We brought these three areas together in anticipation of Shopify’s migration to Google Cloud, so that these teams could together build trust across our platform and products.
We are looking for a Director of Production Security to lead each of these teams and provide technical security advice as a stakeholder on projects deployed across the company. Shopify needs someone with experience securing web applications and/or infrastructure at scale, growing highly technical teams, and supporting secure engineering practices in a fast-paced development environment. Beyond the technical requirements, we need a director who cares about the people they lead, and who approaches security with empathy for Shopify's ambitions.
We know that this is a lot to ask, and we aren’t expecting that you have deep experience in all of the areas covered by our Production Security team in order to apply. We’ve mapped out some of our thoughts on this role in this diagram, but if your background is more aligned with Application Security, we’d like you to have some of the following experience:
-- Setting up and/or running a bug bounty program.
-- Securing a multi-tenant web application.
-- Performing web application penetration testing using all resources at your disposal, especially source code.
-- Building tooling to help developers deploy secure software.
-- Triaging and resolving security vulnerabilities in the application layer.
-- Developing web or mobile applications.
-- Conducting application design reviews and building security solutions.
And if you’re more well-versed in Infrastructure Security, we’re looking for some (or all!) of this experience in your background:
-- Building technical security systems in a cloud environment.
-- Securing containerized applications using technologies such as Docker or Kubernetes.
-- Creating RBAC policies in a CI/CD environment.
-- Understanding Linux systems primitives, and employing them in a security context.
-- Patching and vulnerability management at the systems level.
Requirements for the role:
- Security expertise at scale. You’ve dived deep in either Application or Infrastructure Security, and possess some or all of the experience listed above for your discipline/area of expertise.
- Continuous learning. You are constantly learning more about your area of security, staying on top of news of the latest vulnerabilities and trends in the industry. You also have a keen interest in and willingness to learn other areas of technical security engineering, and are able to ramp up quickly.
- People and technical leadership. You’ve developed and executed roadmaps and mentored highly technical engineers as they grow in their craft. These are different skills, and you constantly seek ways to improve your leadership abilities to help your team succeed.
- Software-as-a-Service experience. You understand the particular concerns of a SaaS company because you’ve operated in this environment. You are particularly motivated by the concerns of both the teams you partner with in your company, and the customers who use the service.
- Relationship building. You are able to develop trust relationships quickly with stakeholders across a business through your empathy and resourcefulness. You are known as a partner, rather than a blocker.
- Creativity and flexibility. Problem-solving is more than a catch phrase for you. You approach new and novel challenges wondering how to make it work rather than how to shut it down, and seek multiple opinions and approaches when tackling difficult problems.
- Note: if some of this tech is new to you, that's okay! We realise that not everyone has worked with this stack before and provide opportunities for learning as you go.
- Building security features for applications running on public cloud: GCP, AWS, Azure.
- Building technical security teams to meet current and future engineering objectives.
- Providing security input to product teams across Shopify.
- Securing Shopify’s kubernetes-based cloud infrastructure.
- Developing and implementing new technology to support security monitoring and incident response in the cloud.
- Building tooling to scale secure deployment of systems across everything that Shopify runs.
- Leading Shopify’s strategy for secure mobile and web application development.
- Owning the roadmap and leading engineering for authentication systems used across Shopify’s products.
- Understanding new web authentication standards and building products that can support them.
We know that looking for a new role can be both exciting and time-consuming, and we truly appreciate your effort. Ash is an actual real live person (👋🏻) and is looking forward to learning more about you through your application.
And remember, we want to know what you're really interested in building and why you want to build it at Shopify, so please give us as much detail on this as you'd like in your cover letter - we do love a good story. 👍 📖