As a Product Security Engineer at Vimeo, you will be the goalkeeper, preventing design flaws and sneaky bugs from ever reaching production. You’ll conduct threat modeling exercises with developers before they start coding, you’ll add security requirements to design specifications, and you’ll review PRs by manually auditing the source code and by poking at the live application in a staging environment.
Your domain will include our customer-facing web applications, our mobile applications, our backend microservices, our internal employee-facing services, and our cloud infrastructure.
You will collaborate heavily with the rest of the Application Security team, as well as the greater security team, in a variety of activities, either offensive or defensive in nature, ultimately aimed at safeguarding our users who entrust Vimeo with their content every day.
You will work frequently with and support developers, as well as members of the infrastructure security team, the compliance team, IT, Product, and other teams throughout the organization.
Do you love to solve puzzles? Are you a great team player? Do you care tremendously about code quality? Then please consider joining our team!
What you’ll do:
- Design Reviews and Threat Modeling
- PR/Code reviews
- Adding security requirements to design specifications
- Validating that security requirements have been met
- Consulting with other teams to stay aware of upcoming new features that may need review
- Fostering a collaborative and supportive relationship between Developers and Security
- Mentoring colleagues
- Other potential tasks — managing our public bug bounty program, installation and tuning of SDLC automation, incident response, developing internal ad hoc security tools, collaborating with the infrastructure security team, collaborating with the compliance and privacy team, promoting security awareness throughout the organization, teaching defensive coding standards, consulting on remediation strategies, etc.
- A typical day will look like this:
- Review a few PRs in GitHub
- Read over the design specification for a new feature and schedule a call to discuss it with the team of developers
- Meet with folks on the Product team to learn about their newest upcoming features
- Use Burp Pro or OWASP Zap to validate that a security requirement in a new feature has been met
- Provide technical advice in response to occasional questions from developers and other members of the security team
Skills and knowledge you should possess:
- 6+ years experience in Application Security preferred
- Experience conducting design reviews and threat modeling exercise
- Knowledge of software design principles, patterns, and defensive coding protocols
- Confident knowledge of all vulnerabilities on the OWASP Top 10, as well as others
- Strong knowledge of modern web, mobile, and network security
- Knowledge of modern frameworks
- Confident working in and across cloud environments like AWS and GCP. Detailed knowledge of at least one cloud environment.
- Confident with common SDLC components, like git, Jira, Jenkins, etc.
- Confident ability to communicate technical security concepts to developers
- At least an upper-intermediate level of English
Bonus points (nice skills to have, but not needed):
- Major plus: full-stack web development experience creating RESTful applications (in any language)
- Links to HackerOne/BugCrowd/Intigriti/Synack profile
- Links to CVEs discovered
- Link to a Github repo with security tools/scripts you’ve developed or help maintain
- Open source vulnerability research or blog posts
Vimeo (NASDAQ: VMEO) is the world’s leading all-in-one video software solution. Our platform enables any professional, team, and organization to unlock the power of video to create, collaborate and communicate. We proudly serve our growing community of over 230 million users — from creatives to entrepreneurs to the world’s largest companies.
Vimeo is headquartered in New York City with offices around the world. At Vimeo, we believe our impact is greatest when our workforce of passionate, dedicated people, represents our diverse and global community. We’re proud to be an equal opportunity employer where diversity, equity and inclusion is championed in how we build our products, develop our leaders, and strengthen our culture.