Security Engineer

What You Can Expect

The Security Engineer is responsible for security design and reviews across Zoom’s products and services. This role demands broad technical expertise and hands-on experience in end-to-end product security. You will collaborate with engineering teams to design, implement, and validate secure solutions, serving as a trusted security advisor. This includes guiding architecture and reviewing implementation, particularly for new features or security enhancements. This is a unique opportunity to work with cutting-edge cloud and security technologies, making a direct impact on Zoom’s platform.

About The Team

The Security Architecture team is dedicated to ensuring Zoom releases and deploys secure products. We work with diverse engineering, compliance, and DevOps teams across the organization to meet security goals and maintain compliance with established SLAs.

Responsibilities

• Serve as a security subject-matter expert, guiding engineering teams in end-to-end secure system design and implementation.
• Conduct threat modeling, architecture review, security code review, security assessment, and security testing (web application, native application, web services, cloud-based services, and infrastructure assessments).
• Perform cloud infrastructure reviews from a security perspective, focusing on AWS permissions and configuration issues within components like IAM and S3.
• Conduct in-depth security reviews of new Zoom features and functionalities, identifying vulnerabilities such as those in the OWASP Top Ten, common issues from the NVD, and risks like RCE.
• Review Java or Python code and verify security posture through manual and automated testing using tools like Burp Suite and Coverity.
• Identify gaps in existing cloud security architecture design/configuration, recommending changes or enhancements (authentication, authorization, network segmentation, container configuration, bastion host setup, etc.).
• Provide hands-on security training and secure coding best practices to engineering teams.

What We’re Looking For

• Bachelor's degree in Computer Science, Information Science, Cyber Security, Computer or Electrical Engineering (or similar field), and 5+ years in security.
• Extensive experience in security testing in various environments, including assessing the security posture of web applications, native applications, distributed systems, and cloud infrastructure such as AWS.
• Focus on securing web services, infrastructure, deployment, and platform core services.
• Solid understanding of software security architecture, design, threat modeling, secure code review, cryptography, and the SDLC.
• Ability to clearly communicate best practices and effective mitigations for application security, particularly SDLC exceptions.
• Hands-on security experience working with AWS and common service components within AWS, identifying security gaps in design and configuration issues.
• In-depth knowledge of network-based, system-level, and application layer attacks and mitigation methods.
• Good knowledge of technology and security topics including network and application security (OWASP), infrastructure hardening, security baselines, web server, database security, and applied cryptography.
• Good development experience in one or more programming languages and platforms such as Java is required.

Key skills/competency

• Product Security
• Cloud Security (AWS)
• Threat Modeling
• Security Architecture
• Secure Code Review
• Application Security (OWASP)
• Security Testing
• IAM & S3 Configuration
• Java/Python Development
• SDLC Security