Staff Security Engineer - DevSecOps

Job Description

• Perform and troubleshoot various application security tools into CI/CD pipeline • Perform spot validations to test an issue/fix • Perform Design Reviews, Threat Modeling for Marqeta’s products • Liaison with Bug Bounty programs, developer teams to track issues, provide remediation guidance and testing of the issues/fix • Provide support to all phases of penetration tests and red team activities, including Scoping, Planning, Communications, and Execution of key activities (Reconnaissance, Vulnerability identification, Exploitation, and Reporting) • Engagement with Core Engineering leads to ensure timely risk remediation • Work closely with development teams to ensure that security and infrastructure requirements are included in the design and implementation of applications • Take a role in the definition of relevant product security architecture strategies, roadmaps, policies, standards, and procedures • Maintain and update relevant solutions and tooling to support new business requirements while ensuring a consistent, compliant, and central service delivery • Document operational procedures (such as those for deployments, breakglass plans etc.) as well as current state architecture and configurations • Provide subject matter expertise to project teams, and other audiences as needed • Provide on-call rotation support to relevant services and tooling

Qualifications

• You have at least 5+ years of experience as an engineer with a Bachelor’s degree; or 3 years of experience with an advanced degree. Instead of a degree, 8+ years of relevant experience may suffice • Industry standard certifications like OSCP/OSCE/CEH, CISSP, CWAD • Experience or knowledge about Payments or Financial Services • 5+ years of experience in software security (AppSec) • Expert-level knowledge of common web application vulnerabilities (OWASP Top 10) and how to find them • Knowledge in threat modeling methodologies such as STRIDE or PASTA and their applied use in fast-moving, iterative development lifecycles • Developer-level proficiency in one or more languages - Python, Java, JavaScript, and Golang preferred • Knowledge of cloud native technologies including containers, Kubernetes, and services provided by AWS, GCP, or Azure • Experience in working with static analysis (SAST), dynamic analysis (DAST), and software composition analysis (SCA) security tools and integrating them in GitHub environment • Knowledge of OWASP ASVS, SCVS, and related verification standards • Demonstrated experience creating positive team and cross-team dynamics • Strong analytical and problem-solving skills that enable navigation of complexity, uncertainty, risks and issues • Ability to work independently or with a team, under minimum supervision • Proven ability to apply technical concepts to solve complex business challenges • Ability to network with key stakeholders across multiple teams to influence outcomes through well-articulated thoughts, strong presentation skills, and pragmatic solutions • Understand ownership and support positive outcomes • Remain constructive under pressure, with a flexible working style

Benefits

• Multiple health insurance options • Flexible time off – take what you need • Retirement savings program with company contribution • Equity in a publicly-traded company and an Employee Stock Purchase Program • Family-forming benefits, fertility support, and up to 20 weeks of Parental Leave • Free therapy sessions, financial and professional coaching, and legal advice • Monthly stipend to support our remote work model • Annual “development dollars” to support our people growth and development