Job Description

Block’s Information Security culture is focused on enabling our engineering teams to build and ship secure products. We achieve this by designing, building, and deploying state of the art security alongside our product and infrastructure teams.

The Software Supply Chain Security team is the team at Block responsible for ensuring that: 

• The information necessary to understand the past and present state of our supply chain exists;
• Block can have confidence at all times in the accuracy of the information about, and the immutability of the inputs and outputs of, our software supply chain;
• There is a chain of custody for each piece of code that comes into and flows out of Block
• Block can prevent, as well as detect and identify as an attack, any alterations to the information necessary to understand the past and present state of our supply chain, to our supply chain systems and process, or to our inputs or outputs; and
• The systems and processes we use and build for storing our source code and built artifacts, as well as those for building and deploying our code, are secured using best practices, and we can report meaningfully on the security stances of those systems.

In short, it’s our job to make sure that Block’s code is secure from PR to Production. We blend third-party tooling with in-house systems to improve the security of our entire software supply chain.

This work will require you to work across team boundaries to design and build solutions that provide visibility into, and improve the security of, the state of our code  and artifact repos, build, CI, and deployment systems. This role will mix security architecture with actually building and integrating tooling.

You will:

• Partner with teams and individuals across the company to secure multiple different CI and build systems, for a wide range of technologies (e.g. web apps, mobile apps, hardware, and back-end systems) and programming languages. 
• Learn about and implement solutions to and mitigations against software supply chain attacks . 
• Work remotely or in any Square office location in the USA or Canada. Occasional travel may be required for team offsites after the pandemic. SSCS is a fully distributed team.

Qualifications

Desired Background:

• You have experience in security architecture, having co-led or led security architecture design and implementation/integration for one or more medium- to large- size systems.
• You have experience writing code to solve security issues. This could be writing security tools, integrating security into products, or automation/management of security-sensitive environments.
• Familiarity with information security systems and practices through at least one of DevSecOps, build engineering, application security, or SDET and at least one other discipline such as systems, software engineering, test, etc.
• You are familiar with at least one cloud platform (AWS, GCP, etc) or on-prem infrastructure deployments.
• You are unafraid to get your hands dirty writing code and performing integration work.
• You work well cross-functionally, and can communicate with audiences who may not have a security background.
• Interest in Software Supply Chain Security (no experience required)

Technologies We Use:

• Ruby and Rails
• Go
• Kubernetes
• Jenkins, BuildKite, Github Actions
• AWS, GCP & on-Prem infrastructure
• Other tools pertinent to Software Supply Chain Security