About the role
We’ll cut to the chase then 💁🏽♀️ - if “secure by design” is your mantra (and you truly walk the walk), read on!
The Trust Team works to safeguard trust in Shopify, whether that’s trust from merchants, buyers, partners, regulators, or our own employees. We are made up of Security Developers, Technical Security Analysts, Security Operations Engineers, Incident Responders, IT Specialists and many others, who all come together to ensure our product, infrastructure, and internal systems are secure in a way that’s unobtrusive, scalable, and easy to use by merchants and employees alike. Whether we’re securing our cloud environment, ensuring that we are meeting our compliance obligations, or building automated vulnerability detection systems, we’re working together to make Shopify—the world’s fastest growing commerce platform— one of the most trustworthy platforms on the planet. 🌍
We are looking to grow our Trust leadership team, both in terms of technical leadership and people leadership. The roles we are looking to fill span the disciplines of security incident response, mobile/web application and infrastructure security, as well as corporate systems and security, all with an aim to ensure Shopify’s platform and systems are able to scale while staying secure and usable. If you want to take the lead on work that impacts thousands of developers and millions of customers, and you genuinely enjoy tackling complex security problems at scale, we have a role for you.
As a Lead on our Trust team, you’ll get to spearhead engaging projects in an area you’re passionate about. Not sure what interests you most? Here are some of the things you could do:
- Improve account security and abuse detection on the Shopify platform through various projects
- Mentor, develop and support a team of security engineers, while helping to hire and grow a diverse team
- Establish and drive the mobile security roadmap for Shopify
- Perform security reviews in mobile or web applications, including code and design reviews, and guide developers on how to ship features securely
- Partner with merchant-facing product teams to build usable security features into their products
- Develop a clear voice and communication strategy as part of our security incident response program
- Bridge gaps by providing technical security input to teams outside Trust, in order to strengthen our incident response capabilities
- Build a threat intel sharing relationship with vendors, security teams, and external working groups
- Build security into and on top of one of the largest Kubernetes deployments in Google Cloud (we are operating a fleet of over 50+ clusters)
- Collaborate with other Shopify developers to understand their needs and ensure our team works on the right things
- Coordinate red team exercises to test Shopify’s incident response framework
- Build tooling that delights Shopify developers and allows them to code securely, without security being an afterthought
- Build and scale distributed, multi-region secure systems
- Investigate and resolve security issues
- And plenty more!
We also understand the importance of sharing our work back to the developer community:
- Pete Yaworski’s year in review of our bug bounty program
- better-html, a Ruby gem released by our team
- Diana Birsan and Steven Scott’s talk on internal security in a default to open culture
- Shipit: Our open-source deployment tool
- Kubeaudit, an automated way to get a snapshot of the security of all your containers
- Mobile vulnerability reports disclosed on our bug bounty program
Interested in applying? You should have experience with one or more of the following (don’t stress, we are not expecting experience in all of the following!):
- Being a developer who is comfortable with multiple languages such as Ruby, Go, and Lua
- Leading a technical team, focusing on mentorship and continual growth while keeping a mindful pulse on team health 🧘🏼♀️
- Mobile development experience.📱You’ve built native mobile applications for iOS or Android (or both!), in Objective C, Swift, Java, or Kotlin
- Hands-on experience with cloud infrastructure ☁ (AWS, GCE, Azure, Kubernetes, Docker)
- Detecting, investigating, responding to, and managing security threats and technical abuse cases
- Thorough knowledge of mobile security issues. You’ve built a library in your mind of common issues, and continually learn more about new applications and issues
- Creating and pushing adoption of security development tools to a large, distributed development team
- Automating security into development processes such as continuous integration and continuous delivery
Tools of our trade: Ruby, Rails, Go, Kubernetes, Splunk, Google Cloud, JAMF
Is some of this tech new to you? That’s OK! We know not everyone will come in fully familiar with this stack, and we provide support to learn on the job.
Our teams are distributed in-office in Canada 🇨🇦 (Ottawa, Toronto, and Montreal), and we have a great Mobility team that tailors individual relocation and immigration packages to best support your move. ✈️
We know that applying to a new role takes a lot of work and we truly value your time. Ash and Marina are looking forward to reading your application!