At Fitbit, our mission is to help people lead healthier, more active lives by empowering them with data, inspiration and guidance to reach their goals.

We started our journey in 2007—as a team of two with one big idea. Since then, we’ve grown to over 1,500 employees, sold over 60mm devices, and built a health and fitness community across the globe.  In fact, the Fitbit Community has taken enough steps to walk from the Sun to Pluto!  Offering award-winning products, a top-rated mobile app and an easy-to-use online dashboard, Fitbit provides personalized experiences that help our users reach their goals. With a reenergized focus on innovative devices, interactive experiences, and enterprise health we are transforming the way consumers and businesses see health & fitness.

From your first steps as a Fitbitter, you will be at the forefront of developing new products. Our culture combines the spirit of startup with the perks of being public. We offer a competitive benefits package and amazing perks like unlimited snacks, Friday happy hours, onsite workout classes, and a strong focus on a healthy work-life balance. As part of our team, you’ll have the opportunity to grow your career, contribute your ideas to life-changing products and services, and—above all—have fun doing it.

Fitbit’s HQ campus is located in the heart of San Francisco with office locations in Boston, San Diego and around the world. Think you’ve found your fit?

Fitbit is looking for a Senior Product Security Engineer. Product security engineers are the face of our product security team. They are the primary interface that product and engineering teams have with the security team. They use a collaborative approach to ensure that teams know how to engage with the information security team and to get those teams timely, relevant, pragmatic, actionable advice. They understand how software and products are created, understand the challenges in delivering great products and services, and have empathy for the people making those products.

Product security engineers should be able to speak intelligently about the entire technology stack being used at Fitbit: from firmware on our devices, through our mobile applications and into cloud software and infrastructure. The goal is not for product security engineers to be experts in every part of this stack, but they do need to have sufficient knowledge to be able to give quick and sensible initial feedback on any part of the stack, and to back this up with research from a more experienced colleague on the team.

We also expect all product security engineers to be a subject matter expert in one area and to take responsibility for that area within the product security team. Product Security engineers aim not only to identify and eliminate security vulnerabilities in our products and services but to identify the root causes of these issues,  helping to address them via e.g. training and awareness initiatives or automation and tooling.

Ideal candidates may come from many different backgrounds, e.g. you may be a software engineer who is passionate about security, you may be a bug bounty participant, you may have worked on other product security teams or you may be a recovering security consultant.

Team Deliverables

Senior Product Security engineers are leaders within the product security team that assist with the scoping, coordination and delivery of these services. They also mentor other team members to ensure they are delivering these services in line with our team culture and practices.

The product security team is responsible for delivering the following services:

  1. Conduct threat modelling / adversarial thinking exercises
  2. Provide application security advice to engineers
  3. Perform manual and automated code review
    1. Our goal is to automate us much of our role as possible
    2. Create rules to help us to identify software that should be manually reviewed by a skilled application security engineer
    3. Help enable self-service reviews for engineers
    4. Work on tooling to expedite the process of doing software reviews
  4. Perform ad-hoc application security assessments
  5. Assist with Fitbit’s Bug Bounty programs
    1. Help with the replication, prioritization and filing of issues identified via our bug bounty programs
  6. Assist with Fitbit’s developer outreach efforts
    1. Share root cause analysis information with our outreach team to ensure we’re educating our engineers about common security pitfalls and how to avoid them
  7. Serve as a technical leader and mentor for other product security engineers

Expertise Required

Each product security engineer on our team brings a unique set of skills. The one skill they have in common is the ability to relate to software developers and provide suitable guidance. We expect every senior or principal product security engineer to be an expert in at least one of the following domains:

  • Operating Systems / Native Applications / Firmware - You understand memory corruption vulnerabilities, exploit mitigations, operating system internals and can comfortably navigate a C code base.
  • Web Application Security - You live and breathe XSS, XXE, SQLi, padding oracles and obscure logic bugs. , you understand modern web security controls such as CSP and Subresource integrity, you’re comfortable finding your way around a Java, NodeJS, Python, Ruby or Go codebase.
  • Mobile Application Security - You can find vulnerabilities in a certificate pinning implementation, you understand mobile IPC mechanisms, you’re comfortable finding your way around an Android or IOS code base.
  • Applied Cryptography - You understand common cryptographic mistakes, you can explain the difference between AES CBC and AES GCM modes.
  • Infrastructure & Cloud Security - You understand cloud security controls in GCP and AWS, you know how to harden a Linux system, you’re comfortable with infrastructure as code and tools such as ansible, puppet and terraform.
  • Hardware security - you can find and exploit JTAG headers on a board, you know how to dump flash, you understand hardware security protections.
  • Adversary Simulation / Red Teaming  

 Fitbit is proud to be an equal opportunity employer. We recruit, hire, train, promote, pay, and administer all personnel actions without regard to race, color, ancestry, national origin, citizenship, religion, age, sex (including pregnancy, childbirth, and medical conditions related to pregnancy, childbirth, or breastfeeding), sex stereotyping (including assumptions about a person’s appearance or behavior, gender roles, gender expression, or gender identity), sexual orientation, gender, gender identity, gender expression, marital status, medical condition, mental or physical disability, military or veteran status, genetic information or other statuses protected by law. We interpret these protected statuses broadly to include both the actual status and any perceptions and assumptions made regarding these statuses.

San Francisco applicants:  Pursuant to the San Francisco Fair Chance Ordinance Fitbit will consider for employment qualified applicants with arrest and conviction records.

Apply for this Job

* Required
  
  


U.S. Equal Opportunity Employment Information (Completion is voluntary)

Individuals seeking employment at Fitbit are considered without regards to race, color, religion, national origin, age, sex, marital status, ancestry, physical or mental disability, veteran status, gender identity, or sexual orientation. You are being given the opportunity to provide the following information in order to help us comply with federal and state Equal Employment Opportunity/Affirmative Action record keeping, reporting, and other legal requirements.

Completion of the form is entirely voluntary. Whatever your decision, it will not be considered in the hiring process or thereafter. Any information that you do provide will be recorded and maintained in a confidential file.

Race & Ethnicity Definitions

If you believe you belong to any of the categories of protected veterans listed below, please indicate by making the appropriate selection. As a government contractor subject to Vietnam Era Veterans Readjustment Assistance Act (VEVRAA), we request this information in order to measure the effectiveness of the outreach and positive recruitment efforts we undertake pursuant to VEVRAA. Classification of protected categories is as follows:

A "disabled veteran" is one of the following: a veteran of the U.S. military, ground, naval or air service who is entitled to compensation (or who but for the receipt of military retired pay would be entitled to compensation) under laws administered by the Secretary of Veterans Affairs; or a person who was discharged or released from active duty because of a service-connected disability.

A "recently separated veteran" means any veteran during the three-year period beginning on the date of such veteran's discharge or release from active duty in the U.S. military, ground, naval, or air service.

An "active duty wartime or campaign badge veteran" means a veteran who served on active duty in the U.S. military, ground, naval or air service during a war, or in a campaign or expedition for which a campaign badge has been authorized under the laws administered by the Department of Defense.

An "Armed forces service medal veteran" means a veteran who, while serving on active duty in the U.S. military, ground, naval or air service, participated in a United States military operation for which an Armed Forces service medal was awarded pursuant to Executive Order 12985.


Form CC-305

OMB Control Number 1250-0005

Expires 1/31/2020

Voluntary Self-Identification of Disability

Why are you being asked to complete this form?

Because we do business with the government, we must reach out to, hire, and provide equal opportunity to qualified people with disabilities1. To help us measure how well we are doing, we are asking you to tell us if you have a disability or if you ever had a disability. Completing this form is voluntary, but we hope that you will choose to fill it out. If you are applying for a job, any answer you give will be kept private and will not be used against you in any way.

If you already work for us, your answer will not be used against you in any way. Because a person may become disabled at any time, we are required to ask all of our employees to update their information every five years. You may voluntarily self-identify as having a disability on this form without fear of any punishment because you did not identify as having a disability earlier.

How do I know if I have a disability?

You are considered to have a disability if you have a physical or mental impairment or medical condition that substantially limits a major life activity, or if you have a history or record of such an impairment or medical condition.

Disabilities include, but are not limited to:

  • Blindness
  • Deafness
  • Cancer
  • Diabetes
  • Epilepsy
  • Autism
  • Cerebral palsy
  • HIV/AIDS
  • Schizophrenia
  • Muscular dystrophy
  • Bipolar disorder
  • Major depression
  • Multiple sclerosis (MS)
  • Missing limbs or partially missing limbs
  • Post-traumatic stress disorder (PTSD)
  • Obsessive compulsive disorder
  • Impairments requiring the use of a wheelchair
  • Intellectual disability (previously called mental retardation)
Reasonable Accommodation Notice

Federal law requires employers to provide reasonable accommodation to qualified individuals with disabilities. Please tell us if you require a reasonable accommodation to apply for a job or to perform your job. Examples of reasonable accommodation include making a change to the application process or work procedures, providing documents in an alternate format, using a sign language interpreter, or using specialized equipment.

1Section 503 of the Rehabilitation Act of 1973, as amended. For more information about this form or the equal employment obligations of Federal contractors, visit the U.S. Department of Labor's Office of Federal Contract Compliance Programs (OFCCP) website at www.dol.gov/ofccp.

PUBLIC BURDEN STATEMENT: According to the Paperwork Reduction Act of 1995 no persons are required to respond to a collection of information unless such collection displays a valid OMB control number. This survey should take about 5 minutes to complete.