The Staff Engineer, Content Security, reports into the Director of Application and Cloud Security at The Walt Disney Studios based in Burbank. This role is part of the team that is responsible for validating that our content creation and delivery platforms, services, applications, workflows, and websites are designed and implemented to the highest security standards. You will be responsible for assisting in the secure design and analysis of on-premise and cloud-based infrastructure and applications where studio content is produced. This is a deeply technical role, requiring a solid understanding and experience implementing a variety of cloud infrastructure solutions and services, as well as network security, identity, cyber security, privileged access, and related technologies, using solid design principles.
Responsibilities

• Conduct security architecture and design reviews of Disney and 3rd party managed applications and cloud infrastructure, documenting issues related to infrastructure, application and content security.
• Lead in-depth security assessments of complex workflows spanning multiple applications, performing and/or coordinating multiple security assessment workstreams such as threat modeling, penetration testing, DAST scanning, and code review.
• Review output from Dynamic Application Security Testing (DAST) tools executed by junior engineers, and provide feedback on results.
• Evaluate the security posture of cloud environments through manual review and automated tooling. Review output from Cloud Security Posture Management (CSPM) tools. Provide guidance to junior engineers as to the results of each scan and approaches to remediating issues.
• Conduct hands-on security testing of web, mobile applications and cloud-based services. Be capable of identifying traditional application-level issues such as injection, authentication and misconfiguration vulnerabilities, but also identify vulnerabilities that lead to bypass of content security controls.
• Maintain current knowledge of security threats and vulnerabilities that could impact products and their technology stack components and help product teams identify solutions that meet security requirements.
• Contribute to technical deep dive meetings with both internal and external application teams. Document in detail the technical stack and security features of products or services being discussed.
• Participate in proof of concepts and other technical evaluations of technologies, designs and solutions and provide recommendations and security requirements.
• Serve as a point of escalation/mentor for junior engineers, and provide guidance on use of DAST, SAST, CSPM tools and application/cloud security best practices. Participate in the evaluation of security tools used across the organization.
• Participate in meetings with corporate security and other security partners across the company and studios, and provide input on tactics or strategies for consuming shared services provided by these teams.
• Document secure configuration guidance for products being assessed, clearly and concisely identifying key product features used to secure studio content.
• Establish and maintain good working relationships with all team members, partners, and customers.
• Stay abreast of emerging technologies and threats as well as proactively assess and evaluate the adoption thereof into the organization.
• Reduce time-to-detect and time-to-remediate by driving the automation of applied threat intelligence and sensor enrichment.
• Support studio partners, in the testing and deployment phases of all security solutions initiatives, to ensure smooth operational knowledge, development and transition.
• Engage in efforts that shape the organization's security policies and standards for use in cloud environments.
• Interpret security and technical requirements into business requirements and communicate security risks to relevant stakeholders ranging from business leaders to engineers.
• Direct and influence multi-disciplinary teams in implementing and operating Cyber Security controls.
• Collaborate with application development and infrastructure teams to deliver creative solutions to difficult technology challenges and business requirements.
• Employ cloud-based APIs when suitable to write network/system-level tools for safeguarding cloud environments.
• Spot and execute new security technologies and best practices into the company's cloud offerings.
• Adhere to all policies, rules, regulations, and procedures.
• Perform other duties or functions as requested by management.

Basic Qualifications

• 7 - 10 Years of experience in cybersecurity and cloud infrastructure engineering/architecture with MS/BS degree in Information System Management / Computer Science / Information. Security or a related technical discipline.
• Significant penetration testing experience and offensive capabilities in numerous core. competency areas including web applications, mobile applications, networks, cloud and infrastructure.
• Basic knowledge of content security controls such as DRM, and visible and forensic watermarking is required.
• Detailed understanding of Network Technologies Routers, switches, Load Balancers, firewalls, proxy etc.
• Solid understanding of network and security protocols including TCP/IP, IPSEC, SSL, TLS and HTTPS.
• Knowledge of RESTful web services (client-server application).
• Strong familiarity with CI/CD principals, tools and services.
• Knowledge of and experience in the area of security operations is a plus.
• Experience of and securing a microservices environment is a requirement. Along with demonstrable knowledge of container technologies such as Kubernetes and Docker and securing such environments.
• Working knowledge of languages including JavaScript, Python and Java.
• Proven experience securing large-scale, highly available security solutions is required.
• In-Depth Knowledge of Public Cloud such as AWS, Azure and GCP.
• Relevant security certifications such as OSCP, ISC2 CISSP, SANS, CEH, etc. are a major plus.

Preferred Qualifications

• Must have excellent presentation and written/verbal communication skills.
• Strong analytical, organizational and decision-making skills.
• Willingness to travel occasionally.
• Self-motivated, and outgoing.
• Proven track record of driving application security assessments for an organization.

Required Education
Bachelor's degree in Computer Science, Information Systems, IT Engineering, or a related field
Certifications
CISSP, SANS, CEH, AWS-SAA, AWS-CSS, AZ-500, MS-500, AZ-300, CCA, CCP, CCSK, Cloud+, CEH, Pentest+, Linux+, Network+, LPIC-1, GSEC, GCIH, HashiCorp Associate, MCSE, VCP-CMA
DISNEYTECH
#LI-AS3
The hiring range for this position in California is $136,038 to $182,490 per year. The base pay actually offered will take into account internal equity and also may vary depending on the candidate's geographic region, job-related knowledge, skills, and experience among other factors. A bonus and/or long-term incentive units may be provided as part of the compensation package, in addition to the full range of medical, financial, and/or other benefits, dependent on the level and position offered.