Security Engineer II - Security Design

About The Team

Uber's Product Security organization is looking for a Security Engineer II to join our Security Design team. The SG team offers contextual, on-demand security guidance to product teams at Uber, whenever new products or product features are being conceived. As a member of the team, your principal mission will be to coordinate and conduct pre-release technical security system design reviews for Uber's products and services as part of our secure software development lifecycle (SDL/SDLC). You will work closely with engineering teams throughout the company to analyze their engineering design documents, and identify potential security design flaws in the areas of cloud security, infrastructure security, data security, and applications security.

About The Role

As an SG engineer, you will provide security-specific corrective guidance to engineers, author security-related feature requests against products, capture critical technical design information required for security assessments, and own technical interfacing for related remediation efforts. This is a fantastic opportunity for an experienced security engineer who is knowledgeable in multiple security domains to play a central role in shifting security left, and make cross-cutting strategic impacts to the security of our next-gen systems and services!

What You'll Do

• Perform multi-disciplinary security design reviews of engineering design proposals while considering aspects of application security, cloud security, infrastructure security, data-layer security.
• Draw design inferences on our product designs, taking into consideration trade-off decisions to vector improvements in overall security posture of our products and services.
• Create quality written work products for both technical engineering and non-technical consumers.
• Be a subject matter expert and ambassador to core Uber Engineering in the areas of secure application and systems design!
• Conduct full security assessments of products that may include architectural review, threat modeling web and mobile apps assessments.
• Provide technical guidance for remediation efforts, coordinating with our AppSec and assessment teams.
• Perform any other security design or product security related activities or tasks as needed or directed.

Basic Qualifications

• Bachelor's in Computer Science, Engineering or a related field or equivalent work experience as a software engineering or security practitioner.
• 3+ years overall of relevant engineering or security engineering or security architectural experience.
• A security-related or architect-related certification such as CISSP, OSCP, CEH, GCP/AWS/Azure/OCI Cloud Security or Architect Certifications, and/or willing to work towards ultimately obtaining one as part of your career path.
• Possess a broad knowledge of threat modeling and the associated design patterns to correct and/or mitigate security attacks and threats.
• Experience with security designs related to Cloud-native services, service and microservices meshes.
• Familiarity with industry-standard risk modeling and vulnerability classification.
• Ability to create written work products and detailed technical documents.
• Be able to apply unconventional thinking and problem-solve on the boundary of your knowledge base, learning new technologies or languages as needed to solve complex technical controls problems in our product suite.

Preferred Qualifications

• Great interpersonal skills, deep technical ability, and a history of successful execution working with a broad suite of infrastructure to applications layer technologies.
• Experience with one of: Go, Java, Python, NodeJS, etc.
• Experience with RDBMS and non-RDBMS (NoSQL) data store technologies such as PostgreSQL, MySQL, Hadoop, GCP BigQuery, AWS RDS & DynamoDB, GraphQL, and more.
• Experience with Identity-aware proxy and HTTP routing technologies.
• Familiarity with privacy, healthcare and payments processing regulatory frameworks and how they guide or affect secure systems design.
• Experience working with in-house engineering organizations, S-SDLC/CICD software lifecycle.
• Familiarity with one or more of AWS, Azure, GCP, OCI public cloud providers, plus private cloud equivalent service layers.