Back to all jobs

Product Security Engineer


Apr 14

Box is the market leader for Cloud Content Management. Our mission is to power how the world works together. Box is partnering with enterprise organizations to accelerate their digital transformation by creating a single platform for secure content management, collaboration and workflow. We have an amazing opportunity to further establish ourselves as leaders in the space, and we need strong advocates to help us achieve that goal. 
By joining Box, you will have the unique opportunity to help capture a majority of this developing market and define what content management looks like for the digital enterprise. Today, Box powers over 97,000 businesses, including 70% of the Fortune 500 who trust Box to manage their content in the cloud. 
It's an amazing time to be working at Box. With millions of users on our platform, we have an opportunity to ship products that will change the way that people work. Box is expanding its next generation security program for the cloud, and you can be a critical part of this creative, fast-paced, and exciting team. We are seeking a security professional with Product Security acumen with primary focus on Secure Software Development Life Cycle initiatives. 
  • Perform architectural review of product designs to perform a threat analysis, identify security risks, and provide recommendations to make our products secure and resilient
  • Deliver Threat Models in collaboration with engineering teams, enumerating potential attack scenarios. 
  • Review of source code for secure coding best practices
  • Incorporate secure code tools, technologies and processes in build pipelines and work with Director of Product Security on establishment of secure development practices
  • Ability to automate using Python, Java or other languages
  • Web / Mobile Application Penetration Testing
  • Working with engineering teams to prioritize security concerns, fix security risks, and provide mitigation recommendations
  • Communicate security risks and recommendations effectively with technical and non-technical audiences through verbal and written communications that lead to actionable and measurable improvements
  • Provide perspective on trends, recommendations, and best practices for customer success 
  • Owns or co-owns team level projects; executes with minimal guidance
  • Influence across teams with similar function (i.e. identifying and coordinating dependencies)
You have extensive experience in the product security space, have personally identified and remediated security flaws/concerns, have performed attack/threat modeling, and have lead pen-testing efforts. You are comfortable working on cross vertical initiatives, providing security requirements, and working with engineering to remediate and raise valid issues.
  • Degree in Computer Engineering, Computer Science, or a related field
  • 5+ Years Experience in the security field with a focus on securing products and applications 
  • Expertise on OWASP Top 10, Securing Microservices, Rest API, OAUTH, SAML, Securing SaaS solutions, CI/CD build eco systems
  • Familiarity with one or more programming languages, AWS/GCP cloud infrastructure services
  • Comfortable performing architecture, design reviews, threat modeling for security posture and risk assessment
  • You enjoy the challenge of a penetration test
  • Programming experience in the following but not limited to : Javascript, Python, Java, C/C++, Go, Rust
  • Excellent problem solving skills 
  • Excellent written and verbal communication skills
Nice to haves
  • Cybersecurity-related certification(s), including CCSP, CISSP, OSCP, OSWE, CEH, GPEN is a plus 
  • Expertise on Container Security
  • Experience and understanding of Cloud orchestration technologies like Kubernetes, Microservices, Docker
  • Proven track record of finding zero days/CVEs
  • Strong understanding of past, current, and emerging security exploits


Visit this webpage to check out all of our exciting benefits:

We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.
To promote the health and safety of all Boxers and our communities, in order to "Go to Work" at Box in the U.S., you must be Fully Vaccinated or have an approved accommodation. "Go(ing) to Work" at Box is defined as visiting a Box office, facility, or co-working site, visiting or meeting in person with fellow Boxers, Box clients and/or customers, vendors, or partners, engaging in business travel, and or participating in any Box-sponsored and/or related activity where others are present.  If you are fully remote and do not "Go to Work,” the vaccination requirement is not applicable.  "Fully Vaccinated" means that an individual is at least two weeks past their final dose of an authorized COVID-19 vaccine regimen.  If you are unable to get a vaccine due to a medical condition, a sincerely-held religious belief or another legally recognized reason, Box will consider requests for an accommodation.
For details on how we protect your information when you apply, please see our Personnel Privacy Notice.
#LI-Remote #LI-MG2