Sr. Product Security Engineer

The Product Security Team's mission is to Left-shift SDLC (Security Development Lifecycle) processes for ALL code written in Databricks (for Customer Use or Supporting Customer internally) to reduce the likelihood of introducing new vulnerabilities in production and minimize the count and effect of externally identified vulnerabilities on Databricks Services.

You will be an individual contributor on the product security team at Databricks, managing SDLC functions for features and products within Databricks. This includes security design reviews, threat models, manual code reviews, exploit writing, and exploit chain creation. You will also support Incident Response (IR) and Vulnerability Response Program (VRP) programs when vulnerabilities or security incidents occur. You will collaborate with a global team across various locations in the US and EMEA.

• Provide full SDLC support for new product features, including threat modeling, design review, manual code review, exploit writing, etc.
• Support incident response and vulnerability management efforts with other security teams.
• Analyze SAST tool results to identify false positives and report genuine issues.
• Work on DAST tools and automation for security assessment and defect reporting.
• Maintain and enhance automation frameworks to support security compliance initiatives such as FedRamp, PCI, HIPAA, etc.
• Prioritize security risks effectively, balancing security needs with product development goals.
• Develop and implement security processes to improve overall security and SDLC efficiency.

• At least 3 years of experience with threat modeling and identifying design issues through data flow diagrams.
• Strong understanding of at least two domains among Web Security, Cloud Security, Systems Security, and Applied Cryptography.
• Proficiency in scripting and automation related to exploits.
• Fuzzing skills are advantageous.
• Exploit writing skills are highly desirable and often required.