Principal Product Security Engineer

<div><span style="font-size: 10pt; font-family: helvetica, arial, sans-serif;">SoundCloud empowers artists and fans to connect and share through music. Founded in 2007, SoundCloud is an artist-first platform empowering artists to build and grow their careers by providing them with the most progressive tools, services, and resources. With over 400+ million tracks from 40 million artists, the future of music is SoundCloud.</span></div> <div> <div>&nbsp;</div> <div><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">We are looking for a Principal Product Security Engineer to join our Security team!</span></div> <div>&nbsp;</div> <div><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">As a Product Security Engineer, you will collaborate cross-functionally with engineering teams to identify and address potential vulnerabilities in our products and services. You will advocate and shape security best practices across SoundCloud’s Engineering, Product, and Design (“EPD”) organization. This position offers a unique opportunity to play a direct, pivotal role in safeguarding our products against emerging cyber threats to our platform, artists and creators, and listeners and fans.</span></div> <p><span style="font-size: 10pt; font-family: helvetica, arial, sans-serif;"><strong>Key Responsibilities:</strong></span></p> <ul> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Identify security anti-patterns in our codebases and architecture and drive cross-functional initiatives to systemically address them</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Help guide our Engineering and Product teams around the safe and responsible use of agentic AI in our products and Software Development Lifecycle (SDLC)</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Drive efforts to automate the security of our SDLC, including our CI/CD pipelines</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Secure our AWS, GCP, and on-prem infrastructure through implementing proper access control and guardrails&nbsp;</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Conduct secure code reviews and threat modeling exercises to identify and remediate potential security vulnerabilities</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Define, implement, and oversee processes and policies in our Vulnerability Management Program</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Triage and drive to remediation submissions from our external bug bounty program</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Participate in our security incident response process</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Make recommendations to external teams and stakeholders about how to improve the consumer security of our platform</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Promote security best practices through educational initiatives such as CTFs and technical talks</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Improve internal tooling, processes, and documentation</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Help to define the Product Security program and team strategy</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Mentor and onboard team members</span></li> </ul> <p><span style="font-size: 10pt; font-family: helvetica, arial, sans-serif;"><strong>Experience and Background:</strong></span></p> <ul> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">8+ years of product or application security experience, or other relevant software engineering experience</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Deep expertise in designing secure architecture</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Enthusiasm about collaborating with engineering and product teams to proactively address security issues in products</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Experience conducting threat modeling exercises and secure code reviews</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Experience configuring DevSecOps tools (e.g. SAST, SCA, Secret Scanning)</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Experience managing bug bounty programs</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Familiarity with languages such as Javascript, Go, Ruby, Python, or Scala</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Experience working with cloud providers (AWS, GCP) and Developer SaaS solutions (GitHub, Jira)</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Familiarity with IaC tools such as Terraform and CloudFormation</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Ability to effectively communicate risk to technical and non-technical audiences</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Experience with data analysis (SQL) in order to determine scope and impact of vulnerabilities</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Knowledge of industry-standard security frameworks and regulations, such as GDPR, CCPA, SOC2, NIS2, and OWASP is a plus</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Experience with vulnerability management is a plus</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Experience threat modelling and securing Generative AI applications &amp; use-cases in the context of the EU AI Act is a plus&nbsp;</span></li> <li style="font-family: helvetica, arial, sans-serif; font-size: 10pt;"><span style="font-family: helvetica, arial, sans-serif; font-size: 10pt;">Experience with data governance is a plus</span></li> </ul> </div> <p><span style="font-size: 10pt; font-family: helvetica, arial, sans-serif;"><em><span style="font-weight: 400;">The salary range for this role is $190,000 - $220,000 annually. The final salary offered will be determined based on relative experience, skills, internal equity, and location. We also offer a generous total rewards program - read more about additional benefits and perks below! </span></em></span></p> <h4><span style="font-size: 10pt; font-family: helvetica, arial, sans-serif;"><strong>About us:</strong></span></h4> <ul> <li style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;"><span style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;">We are a multinational company with offices in the US (New York and Los Angeles), Germany (Berlin), and the UK (London)</span></li> <li style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;"><span style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;">We provide a flexible work culture that offers the opportunity to collaborate and connect in person at our offices as well as accommodating work from home</span></li> <li style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;"><span style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;">We are deeply committed to ensuring diversity, equity and inclusion at all levels of our organization and fostering a community where everyone’s voice, perspective and experience is respected and heard</span></li> <li style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;"><span style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;">We believe a strong team is made by investing in employees through mentorship, workshops and enrichment opportunities</span></li> </ul> <h4><span style="font-size: 10pt; font-family: helvetica, arial, sans-serif;"><strong>Benefits:</strong></span></h4> <ul> <li style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;"><span style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;">Comprehensive health benefits including medical, dental, and vision plans, as well as mental health resources</span></li> <li style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;"><span style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;">Robust 401k program</span></li> <li style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;"><span style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;">Employee <span style="font-weight: 400;">Equity</span> Plan</span></li> <li style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;"><span style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;">Generous professional development allowance</span></li> <li style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;"><span style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;">Interested in a gym membership, photography course or book? We have a Creativity and Wellness benefit!</span></li> <li style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;"><span style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;">Flexible vacation and public holiday policy where you can take up to 35 days of PTO annually</span></li> <li style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;"><span style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;">16 paid weeks for all parents (birthing and non-birthing), regardless of gender, to welcome newborns, adopted and foster children</span></li> <li style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;"><span style="font-weight: 400; font-size: 10pt; font-family: helvetica, arial, sans-serif;">Various snacks, goodies, and 2 free lunches weekly when at the office</span></li> </ul> <h4><span style="font-size: 10pt; font-family: helvetica, arial, sans-serif;"><strong>Diversity, Equity and Inclusion at SoundCloud</strong></span></h4> <p><span style="font-size: 10pt; font-family: helvetica, arial, sans-serif;"><em>SoundCloud is for everyone.&nbsp;Diversity and open expression are fundamental to our organization; they help us lead what’s next in music by&nbsp;understanding and empowering our creators and fans, no matter their identity. We acknowledge the challenges in the music industry, and strive to&nbsp;influence an inclusive culture where everyone can contribute respectfully and thrive, especially the historically marginalized communities that many of our creators, fans and SoundClouders identify with. We are dedicated to creating an inclusive environment at SoundCloud for everyone, regardless of gender identity, sexual orientation, race, ethnicity, migration background, national origin, age, disability status, or care-giver status.</em></span></p> <p><span style="font-size: 10pt; font-family: helvetica, arial, sans-serif;"><em><span style="font-weight: 400;">At SoundCloud you can find your community or elevate your allyship by joining a Diversity Resource Group. Diversity Resource Groups are employee-organized groups focused on supporting and promoting the interests of a particular underrepresented community in order to build a more inclusive culture at SoundCloud. Anyone can join, whether you share the identity or strive to be an ally.</span></em></span></p>