Senior Product Security Engineer - Slack

We’re Salesforce, the Customer Company, inspiring the future of business with AI+ Data +CRM. Leading with our core values, we help companies across every industry blaze new trails and connect with customers in a whole new way. And, we empower you to be a Trailblazer, too — driving your performance and career growth, charting new paths, and improving the state of the world. If you believe in business as the greatest platform for change and in companies doing well and doing good – you’ve come to the right place.

Slack enables people around the world to communicate and collaborate together, from the world’s largest public companies to the smallest of startups. We take performance and reliability very seriously.

A taste of our scale:

• During the week, our users spend over a billion minutes a day active in our product.

• At peak usage, a million messages a minute passed through Slack.

• Every day we see over 15 million simultaneously connected users

• For millions of people, Slack is their primary communication tool for work and more, and they expect it to be extraordinarily reliable and fast year-round.

About Us

Our Product Security Assurance team supports the following tenet of Slack’s mission: make people’s working lives more secure. We’re serious about protecting our infrastructure, operations, and most importantly our customers’ data. We take a systemic approach to security and strive to ensure we provide low friction, high impact security across everything we do. As a member of the Product Security team, you care about shipping secure products and protecting Slack’s users from bad actors. You are passionate about enabling our developers to deliver new features securely. You think about your job as not just identifying individual vulnerabilities but also finding effective ways to eliminate whole classes of them. Your work will directly impact the way millions of people, teams, and businesses get things done using Slack.

Slack has a positive, diverse, and supportive culture—we look for people who are curious, inventive, and working to be a little better every single day. In our work environment, we aim to be smart, humble, hardworking and, above all, collaborative. If this sounds like a good fit for you, read on ahead!

What you will be doing

• Contributing security-focused feedback to engineers during all phases of the development lifecycle

• Performing technical security assessments on our web applications, native clients, internal services, and partner applications

• Seeking out opportunities to automate processes when appropriate

• Scaling the impact of our team through direct mentorship of our more junior team members

• Communicating risks to engineering staff through training and technical demonstration of vulnerabilities and secure design patterns

• Maintaining and creating secure development practices and programs for our engineering teams and external developers

• Acting as an ambassador for security within Slack

• Serving as a public representative for security at Slack by engaging periodically in internal and external speaking engagements

• Identifying emerging classes of vulnerabilities and developing solutions for them before they’re a problem

• Efficiently scoping blackbox, whitebox, and graybox assessments to optimize security review time and resources

What you should have

• Bachelor’s degree in Computer Science, Engineering or related field, or equivalent training, fellowship, or work experience is required

• 4+ years proven experience in security testing of web applications and native apps including Electron and iOS and Android mobile applications.

• Deep understanding of web application architecture and design principles

• Experience with Threat Modeling applications using STRIDE or similar framework.

• Experience with websockets and protobuf a plus

• Strong written and verbal communication skills and ability to communicate with empathy when delivering constructive feedback regarding security matters to engineers and product designers

• Experience with manual secure code review in languages such as: JavaScript, Java, Python, Ruby, PHP, HackLang

• Familiarity with common web application testing tools for DAST, SAST, and IAST analysis such as Burp Suite, Snyk, and/or Semgrep

• Knowledge of authentication mechanisms like SAML, OAuth, etc.

• Knowledge of common security flaws and resolution as published by OWASP, SANS, etc.

• Knowledge of how to test code and applications across various platforms (iOS, Mac, Linux, Windows, Android, etc) for security and quality

• Ability to see patterns, commonalities and investigate complex issues

• Organizational skills to bring together and record detailed and accurate information about bugs and systemic issues

• Experience with Amazon AWS services and familiarity with Slack products is a plus

• Current or former security training or certifications such as SANS GWAPT, OSCP, OSWE or similar is a plus

• Public speaking engagements or published research is also a plus; a successful engineer in this role will be expected to represent Slack externally from time to time

• Though this is not primarily a development role, some background in software engineering in a collaborative and dynamic environment is a plus