About the role
The Application Security team discovers and fixes security vulnerabilities in Shopify's products through sources such as internal security assessments and Shopify's public bug bounty program. The team then develops tooling, static analysis checks, and low-level fixes to prevent future vulnerabilities.
Our Application Security team is broken down into three key focus areas:
Our Proactive Security team manually reviews key applications, develops tools to automatically keep dependencies up to date, deploys static analysis tooling to identify vulnerabilities, provides dashboards to help development teams prioritize security issues, and teaches developers how to identify security issues in their own applications.
Shopify runs one of the world's largest bug bounty programs. Our Bug Bounty team continuously improves the program by adding new applications into scope, organizing "live hacking" events, and building tools that streamline our triage process and reduce the time needed to remediate vulnerabilities.
Many external developers use Shopify's API to build things, and merchants expect these integrations to be secure. We build scanning tools to verify that integrations meet our security requirements and automatically notify developers when issues need to be corrected. We also scan for API tokens that have been inadvertently published to sites such as GitHub.
We are looking for leaders to manage our Proactive Security team. If you’re an experienced, people-focused engineering lead, and you’re excited about growing people and teams to help protect our merchants, this role is for you!
Grow the team both through mentoring, acting as a subject matter expert to a team of ICs, and external hiring
Help define the long-term vision of application security at Shopify and rally the team around and towards this vision
Help to roadmap and decompose our vision into granular milestones and projects; aid the team in getting from vision to reality
Own team and technical decisions; demonstrate high quality judgment and help drive team consensus
Build, leverage, and own cross-line and organization relationships
To be successful in this role you will need to:
Possess the technical experience necessary to mentor your team and improve processes
Have demonstrated experience of successfully leading and growing teams
Have a passion for growing people on your teams from junior into senior roles
Be accountable for and driving the execution of your team
Be committed to creating high quality, low-friction, automated (where possible) solutions to help safeguard and champion for the security of our merchants
It would be great if you had experience:
Setting up and/or running a bug bounty program
Securing a multi-tenant web application
Performing web application penetration testing using all resources at your disposal, especially source code
Building tooling to help developers deploy secure software
Triaging and resolving security vulnerabilities in the application layer
Conducting application design reviews and building security solutions
Developing web or mobile applications
Interested in applying? Check out Publicly disclosed issues from Shopify's Bug Bounty program and Updates on Shopify’s Bug Bounty Program
Our belief is that a strong commitment to diversity & inclusion enables us to truly make commerce better for everyone. We encourage applications from Indigenous peoples, racialized people, people with disabilities, people from gender and sexually diverse communities, and/or people with intersectional identities. Please take a look at our Sustainability Reports to learn more about Shopify’s commitments to our communities, and our planet.
At Shopify, we understand that experience comes in many forms. We’re dedicated to adding new perspectives to the team - so if your experience is this close to what we’re looking for, please consider applying.
How we hire
Not what you’re looking for?Check out these similar roles.
|Infrastructure Security Engineering/Development Manager (Remote, Americas)||Trust and Security||Americas|
|Engineering Program Manager - Trust Assurance, Compliance (Remote, Americas)||Trust and Security||Americas|
|Engineering Program Manager - Zero Trust Security (Remote, Americas)||Trust and Security||Americas|
|Engineering Program Manager - Trust Partnerships (Remote, Americas)||Trust and Security||Americas|
|(Staff/ Senior) Infrastructure Security Engineer (Remote, Americas)||Trust and Security||Canada|
|Senior Risk Data Analyst||Trust and Security||Americas|