Collaborate with MongoDB Infosec and application security teams to create a threat matrix focused on SDLC processes, tooling and infrastructure to improve and evolve our security posture within our development ecosystem.
Provide architectural guidance on best practices on, and implement security tooling, automation and technical controls across our developer pipelines, services and infrastructure that adhere to the central principles of least privilege, defense in depth, protecting integrity and access control.
Drive SDLC compliance through engineering efforts and implementation/automation of processes, controls and tools.
Work with engineering teams across MongoDB to ensure that we are building scalable and sustainable security solutions for our product development and release processes
Engage in security investigations to respond to, and analyze emerging threats.
Develop strategies to exercise and improve our SDLC security posture utilizing red team and pen test activities.
Be a technical authority to help us stay aligned with MongoDB’s security initiatives and policies by driving mid to large scale projects with high visibility.
Stay up to date on emerging trends in the software security industry to help us stay ahead of new threat vectors and compliance requirements.
Work with Legal, Privacy and Internal Audit to ensure that we are operating within regulatory and compliance standards.
Requirements
8+ plus years of progressive experience with open source and commercial application security testing and analysis tools for attack surface management, dynamic security analysis (DAST), and static code analysis (SAST).
Relevant software development experience, understanding how software is designed, built and can be broken is critical.
Subject matter expert in all phases of the software development lifecycle supply chain.
Domain expertise of software and security through various software development and security best practices.
Demonstrated experience with threat modeling, risk analysis and control design.
Advanced understanding of vulnerability exploitation chaining and vulnerability remediation
Experience or understanding of languages such as C++, C, Rust, Go, Python, Java, or other related languages
Experience with cloud native development pipelines and tooling such as Docker, Kubernetes, and other release/deployment tooling
The ability to work autonomously, being able to identify gaps and create solutions independently with minimal direction.
Demonstrated ability to work collaboratively across domains with senior engineering leaders and stakeholders in other teams and departments.
Deep understanding of SLSA framework & CWE, MITRE, OWASP, CIS Benchmarks
Experience running Red Team exercises and building remediation roadmaps
Self-education to continuously learn and invest in skills and knowledge relevant to the team and the position
Knowledge or experience with MongoDB products and services
Other things you might want to know
We’re a distributed team. Our Platforms team is located mostly in the EDT and PDT time zones, but we work with other teams all over the world.
Our team is remote-first. We use tools like Slack and Zoom to work together. We try to get together on occasion, but our day-to-day is all remote. (If you live close to one of our offices, and would like to use it, that’s okay, too!)
While our customers are internal, the work done in this space is still customer impacting, as the integrity of our systems and processes for our product depends on us.
You’d have a chance to join our team at the early stages of modernizing and refining our engineering practices, tooling and infrastructure where you will have a tremendous impact to how we deliver our products.