[Remote] Senior Product Security Engineer, Secure Design (Kernel and Virtualization)
Note: The job is a remote job and is open to candidates in USA. DigitalOcean is a cutting-edge technology company focused on simplifying cloud solutions. They are seeking a Senior Product Security Engineer to assess and mitigate security risks in their virtualization stack, build frameworks for threat modeling, and collaborate with engineering teams to implement security measures.
Responsibilities
- Propose and implement mitigations and defense-in-depth to threats discovered through threat modeling the virtualization stack (90%)
- Provide deep technical expertise in systems architecture, kernel security features and network architecture to build out a threat model for our virtualization stack
- Identify the trade-offs of different solutions and recommend the efficient design to achieve both functional goals and security requirements. We do not deliver mandates; we work alongside cross-functional partners to find mutually beneficial solutions
- Collaborate with development teams to implement remediations and defense in depth to protect DigitalOcean's customers' workloads
- Cultivate and promote a security culture (10%)
- Mentor software engineering teams in security best practices
- Help oversee our vulnerability management program (we call it security debt)
- Help DigitalOcean engineers understand how security events impact them. Do they need to worry about the next Redfish or Copy Fail CVEs? How does RetBleed impact DigitalOcean's fleet?
Skills
- Deep familiarity with at least one kernel security feature (ex: AppArmor, SELinux, Landlock, etc.)
- Capable of assessing and understanding the performance implications of code changes to virtualization stacks (especially in Qemu and KVM), built from hands-on experience
- A record of partnering with internal engineering teams to tackle security problems across an entire stack with empathy and creativity. Engineering teams are our partners, not our adversaries
- Ability to clearly communicate security topics and vulnerability classes (e.g. memory corruption, privilege escalation, TOCTOU, etc) and ability to provide actionable direction to product teams
- Working knowledge of modern development concepts (virtualized environments, containerization, continuous integration + delivery)
- 5+ years of writing systems level code (embedded systems, kernel, assembly or similar)
- Experience guiding software teams on secure architecture design
- Written code for an embedded system (raspberry pi, arduino, etc)
- Experience building or reviewing threat models and ability to craft malicious user, attacker, and abuse/misuse cases
- An understanding of patches and mitigations for hardware side-channel attacks
- Familiarity with object oriented and functional programming concepts, particularly with languages such as Go, Rust, or C
Benefits
- Reimbursement for relevant conferences, training, and education
- All employees have access to LinkedIn Learning's 10,000+ courses to support their continued growth and development
- Employee Assistance Program
- Local Employee Meetups
- Flexible time off policy
- Bonus in addition to base salary; bonus amounts are determined based on company and individual performance
- Equity compensation to eligible employees, including equity grants upon hire and the option to participate in our Employee Stock Purchase Program
Company Overview
Company H1B Sponsorship