Staff Product Security Software Engineer

Summary

Join Quora's newly created Security Engineering Team as a key member, contributing to the safety and security of both Quora and Poe platforms. The team focuses on building robust protections for products, infrastructure, and people. This role requires expertise in secure web application development, client-side security, cross-browser compatibility and privacy, performance and security tradeoffs, and security testing and tooling. You will provide security guidance to engineering teams, perform security architecture reviews, drive the development of security review processes, build security tools, conduct code reviews and penetration tests, and lead incident response. The position is remote-first and offers a wide range of benefits. Quora values diversity and inclusivity.

Requirements

• Secure Web Application Development : You are proficient in developing secure web applications and APIs, with a strong understanding of OWASP Top 10 and other common web vulnerabilities such as XSS, CSRF, SQL Injection, and clickjacking. You have experience implementing mitigations such as Content Security Policies (CSP), SameSite cookies, and secure HTTP headers. You are adept at building secure authentication and authorization mechanisms, including OAuth, OpenID Connect, SAML, and JWTs
• Client-Side Security : You have expertise in improving the security posture of client-side web applications. You understand the nuances of browser extensions, sandboxing, and JavaScript security. You are knowledgeable about secure JavaScript frameworks. You can identify and mitigate attacks like DOM-based XSS and other client-side vulnerabilities
• Cross-Browser Compatibility and Privacy : You are familiar with the intricacies of cross-browser compatibility and the security implications of browser-specific features. You are passionate about advancing privacy-respecting features in web applications, such as implementing proper cookie handling, using privacy-preserving APIs, and reducing fingerprinting risks. You follow developments in browser security policies like SameSite, Secure, and HttpOnly cookies
• Performance and Security Tradeoffs : You understand the fine balance between performance optimization and security requirements in web applications. You can implement advanced security measures,You are skilled in analyzing and mitigating the impact of security features on page load times, caching, and scalability
• Security Testing and Tooling : You have hands-on experience with security testing tools such as Burp Suite, ZAP, or browser developer tools for identifying vulnerabilities in web applications. You can write custom scripts to automate browser-level security testing and have experience with fuzzing and penetration testing for browsers and web technologies
• Emerging Web Standards and Protocols : You stay ahead of the curve by following developments in emerging web standards and protocols like HTTP/3, WebAuthn, and the latest advancements in TLS. You are excited about contributing to the evolution of secure web technologies and implementing these advancements in production environments
• Sweat The Right Details : you thrive in understanding the details but will also know to ruthlessly prioritize the critical issues
• Right-Size The Solution : you recognize guidelines and framework do not always fit the problem and know how to adjust the solution for scalability not always at-scale
• Ownership : you are outcome focused and can deftly navigate obstacles, decompose complexities, manage your time and can communicate your vision to peers and management

Responsibilities

• Availability for meetings and impromptu communication during Quora's " coordination hours " (Mon-Fri: 9am-3pm Pacific Time)
• Provide security guidance to engineering teams and work with privacy, product and engineering teams on securing customer data
• Perform security software architecture review and integrate threat modeling and abuse cases into the SDLC; Advise and implement secure software architecture patterns
• Drive the development and implementation of standard security review processes across the company that result in effective methods for reducing security risks before product releases
• Build features or application security tools within existing development, build, and deployment processes to ensure strong security in Quora product
• Conduct dynamic & static code scan reviews and run-time tests
• Assist with the planning and execution of application penetration tests
• Conduct initial incident triage; determine scope, urgency, and potential impact of security incidents; lead and coordinate the incident response process

Benefits

• Medical/dental/vision coverage
• Equity refreshers
• Remote work reimbursement
• Paid time off
• Employee assistance programs