Product Security Engineer

📋 Description

• Collaborate closely with engineering, SRE, and platform teams to integrate security throughout all stages of the software development lifecycle, from design to production.

• Take ownership of threat modeling and secure design evaluations for new features, lead vulnerability assessments, and secure code reviews across our microservices and mobile applications, while enhancing our AI-centric security tools.

• Manage and enhance ShopBack's vulnerability management program, prioritizing findings using EPSS, CISA KEV, and business context, and accelerating remediation through automation and collaboration with engineering teams.

• Assist in incident response for product security incidents, which includes blast radius analysis, root cause analysis, variant hunting, and post-incident strengthening.

• Collaborate with compliance on evidence and controls for various audits, aligning engineering realities with audit standards.

⛳️ Requirements

• 3 to 4 years of practical experience in product or application security, including securing cloud-native, microservices, and mobile applications in production settings.

• Proficient in threat modeling, with familiarity in STRIDE, attack trees, or similar frameworks.

• Depth in design review — capable of interpreting architecture diagrams or PRDs to identify vulnerabilities such as weak authentication, authorization gaps, data exposure risks, insecure integrations, and systemic issues.

• Skilled in vulnerability analysis and secure code review — adept at examining code (Node.js/TypeScript, Python, Go, or similar) for OWASP Top 10 vulnerabilities, business logic flaws, authorization issues, and supply chain risks.

• Programming expertise in at least one of the following: Python, TypeScript/Node.js, or Go.

• Strong familiarity with modern AI tools — regularly utilizing LLMs, coding agents, and MCP-based tools in daily security tasks.

• Knowledge of AI/ML security risks, including prompt injection, data exfiltration via agents, insecure tool usage, model supply chain issues, and related attack vectors.

• A builder mindset for AI-first security — enthusiastic about designing security workflows with AI as a primary component.

• Learning to Execution Mentality — staying current with emerging technologies, filtering out noise, and applying insights into tools and processes.

• Pragmatic and high-signal approach — concentrating on high-severity, high-impact issues while avoiding low-severity distractions.

• Strong written communication skills — capable of distilling complex findings into concise risk statements, clear recommendations, and actionable remediation paths for busy engineering teams.

• Collaborative by nature — achieving results through partnership with engineering rather than gatekeeping.

• Comfortable navigating ambiguity and taking ownership of responsibilities.

🏝️ Benefits

• Competitive compensation based on your performance.

• Career advancement opportunities and paths that allow you to embrace greater challenges to achieve your ambitions.

• An open, candid, and collaborative culture where feedback is appreciated, enabling everyone to grow and improve each day.