===

Excerpt: Design and implement scalable security infrastructure and help build a culture of security for a rapidly growing team.

Status: Open

===

About the role

Don’t you wish the security practice at your company was more modern, effective and not chasing its tail? Are you excited by the idea of tackling novel security problems while empowering a delightful experience for end users? If that energy isn’t appreciated where you currently work, join us in developing a proactive, technology-forward product-security discipline, dedicated to eliminating vulnerabilities in application and infrastructure before they even occur. You’ll own the SSDLC and ensure effective security measures are embedded throughout. You’ll be building systems and occasionally building/buying tools that help all of Engineering truly shift left, so you can spend less time chasing vulnerabilities and more time on meaningful security engagement. 

Additionally, this role includes practicing embedded security within Eng teams, teaching them to think through, prevent, and mitigate common security issues all on their own: everything from creating guardrails to implementing AuthN / AuthZ correctly to creating secure and resilient infrastructure as code. The security culture you help create permeates the entire company and has longevity, even when you’re not in the room, because you will help a top-tier Eng team level up. Your work will inform the company’s security roadmap, starting with delivering pieces of a high-speed, automated, and self-service security strategy. 

So far the security projects we’ve worked on have been about:

• Hardening our Kubernetes deployments
• Running and evolving our Bug Bounty Program
• Streamlining our product authorization model
• Optimizing access control company-wide
• Automating vulnerability management

About you!

Must have's:

• 5+ years of product-security experience: 4 years in appsec, 1 in cloudsec
• You write code and are fond of creating your own automation
• Deep understanding of software-security principles and a good understanding of cloud-infrastructure security principles
• Hands-on experience with many of the core infrastructure products that Hex is run on, including Kubernetes, AWS, and Terraform
• You perform code reviews regularly
• Proficient at threat modeling and keeping the models updated
• Able to break down a landscape of scattered security problems, whether complex, simple and/or varies, and group them into logical, achievable components to get the most bang for the buck during quarterly and annual planning
• Possess an instinct for strategic thinking and aligning with business and product goals, while keeping a healthy balance of velocity and security excellence.
• Excel at working with several different engineering teams and codebases, and at communicating with engineers and non-technical partners across many different backgrounds, demonstrating curiosity about how their work contributes to Hex’s success.

Nice to have's:

• Experience scaling and optimizing a bug-bounty program with a good signal:noise ratio
• Involvement with your Security Community 
• Interest in the data space, and a love of shipping great products and building tools that empower engineers and users to do more.
• Curious and willing to dive into the bigger picture of building a company, including go-to-market, customer development, people, and marketing.

Our Engineering team

We’re a group of engineers who are forging new ground together and love partnering with Security on our journey to pull ahead of our competition. You can read about how we think through problems as well as how we learn from mistakes on our blog here:

• How we took down production…
• Beyond Linear Notebooks
• A pragmatic approach to live collaboration

Our Tech Stack

app.hex.tech runs on AWS:

• EKS
• RDS (Postgres)
• EC2
• S3

app.hex.tech uses:

• Node.js
• TypeORM
• Apollo GraphQL
• React
• Redux
• … and more

app.hex.tech is written in:

• TypeScript
• Python
• Node
• Terraform