148 applicants

Company

Grubhub · 3 days ago

Staff Engineer, Security Engineering

DC-Baltimore Area

Full-time

Remote

Lead/Staff

8+ years exp

Maximize your interview chances

E-CommerceFood and Beverage

Actively Hiring

Hiring Manager

Katie Cavote

Insider Connection @Grubhub

Discover valuable connections within the company who might provide insights and potential referrals.
Get 3x more responses when you reach out via email instead of LinkedIn.

Responsibilities

Identify lacking security-sensitive functionality in Grubhub’s applications and services, translating those control gaps into actionable engineering remediation plans and solutions

Design, build, deploy and drive adoption of embedded security tooling in conjunction with internal services and platform teams

Perform threat modeling, design, and code reviews to assess security implications and requirements for the introduction of new security systems and technologies

Drive initiatives with outside teams to re-engineer existing services to ensure that Grubhub remains resilient against the latest security threats

Bridge security domain knowledge gaps through technical mentorship of a team of passionate engineers while also delivering uniquely challenging projects.

Qualification

Find out how your skills align with this job's requirements. If anything seems off, you can easily click on the tags to select or unselect skills to reflect your actual expertise.

Web securityCloud securitySecurity engineeringProgramming languagesCI/CD pipelineCode reviewsMiddleware technologiesDistributed systemsVersion control (Git)Agile methodologySecurity certificationsIOS developmentAndroid developmentThreat modelingRisk modelingVulnerability classificationIncident participationLoad balancingEmbedded device security

Required

Bachelor's in Computer Science, Engineering or a related field

Professional experience of 8+ years in at least two security domains: web security (inclusive of APIs, backends, frontend and microservices), edge/perimeter security, mobile security, cloud security, systems security, or reverse engineering

7+ years of industry experience in a software development environment with expert-level proficiency in programming languages like Java, Python, or C++

Demonstrable experience developing libraries and frameworks that are pre-vetted for security, which developers can use to avoid common vulnerabilities.

Hands-on experience incorporating security checks and tests into the CI/CD pipeline so that every code change is automatically reviewed for security issues before it is deployed.

Demonstrable experience in conducting code reviews to identify security deficiencies in how business logic is implemented.

Experience designing, implementing, and deploying production-quality security engineering systems and incorporating security standards into supporting subsystems as needed.

Hands-on experience with middleware, message queues, caches, and other related technologies.

Strong experience in architecture design, high-availability, high-performance, distributed systems and working with 5x9/ zero-downtime systems.

Demonstrable commitment to engineering and operational excellence–to include development + monitoring of SLOs/SLIs to assure adherence to EOE standards–with direct experience in driving security outcomes within an engineering culture.

A broad knowledge of attack vectors, exploits and mitigations that work at scale or may be linked together for chained attacks

Working familiarity with version control systems (Git), issue tracking tools (Jira) and ability to define + support your commitments within an Agile working model.

Ability to communicate ideas and proposals concisely to a wide-range of audiences

Ability to author both technical and non-technical documentation on a continuous cadence.

Ability to fully participate in our on-call rotation as a service owner

Preferred

Master’s (or Ph.D) in Computer Science, Engineering or a related field

A security industry-related certification such as Certified Information Systems Security Professional (CISSP) or Offensive Security Certified Professional (OSCP)

Knowledge of both iOS and Android architecture and development

Expert-level knowledge within identity and access management security domain, inclusive of role-based access controls, factors-based authentication and identity-based attack (both legacy and emergent) patterns.

Willingness to participate in incidents as needed as a security SME

Familiarity with industry-standard threat modeling, risk modeling and vulnerability classification.

Prior experience leading the design or reconstruction of complex systems, preferably in e-commerce or retail-related fields.

Deep understanding of the related theories of distributed systems, such as load balancing, distributed transactions, CAP/BASE, etc

(Bonus) Experience with hardware or embedded device security such as what you would find in a kiosk or a point-of-sale system