Product Security Engineer

About the Role

As a member of our security team, you will build secure-by-default, defense-in-depth, and least privilege mechanisms throughout our product lifecycle. You will work closely with engineering teams on security best practices from design and architecture to implementation and monitoring. You will have the opportunity to build from the ground up to experiment and innovate with modern software security practices.

Responsibilities

• Create paved roads for engineers to develop securely by default and build guardrails for when we veer off course

• Conduct regular architecture reviews and code audits to detect potential threats, risks, and vulnerabilities

• Harden our CI/CD pipelines and improve the integrity of Clerk’s software artifacts

• Contribute to and improve Clerk’s vulnerability management program including vulnerability disclosure, security scans, and penetration tests

• Provide guidance and training to teammates on security best practices and building resiliency into our systems

• Collaborate with our Infrastructure team to establish secure infrastructure-as-code modules and minimal base container images

• Document secure development policies and practices

Qualifications

• Proven experience in a software security, application security, or product security role with 7+ years (use this as a gauge, not a hard requirement) of hands-on experience

• Strong empathy with the ability to enable engineers to move quickly and securely, ideally having previously worked as a software engineer

• Expertise in proactive secure coding practices such as encryption, secrets management, and eliminating vulnerability classes (e.g. in the OWASP Top 10)

• Experience with reading and writing code in Go, TypeScript, or similar languages with the ability to dive into codebases, debug, and suggest fixes

• Experience with application security tooling (SAST/SCA/DAST/etc.) and building custom queries using Semgrep/CodeQL/etc.

• Experience with authentication and authorization protocols such as OAuth, OpenID Connect, and SAML

• Familiarity with Supply-chain Levels for Software Artifacts (SLSA)

• Familiarity with Cloud infrastructure platforms, preferably GCP

Benefits

• 💰 Competitive Salary – We want you to know that we value the skills and experience you bring to the table. We go out of our way to make sure that you feel fairly compensated.

• 📈 Equity Ownership – At Clerk, we believe in shared success. That's why we offer a stock option plan so that everyone can benefit from the growth and prosperity of the company.

• ⚕️ Health Coverage – We care about your well-being. That's why we offer top-tier health insurance to ensure that your health needs are fully met.

• 🎧 Work Gear - Set up your ideal home office with the gear of your choice. At Clerk, we want to ensure that you have everything you need to perform at your best.

• 🏖️ Flexible Vacation Policy – We believe in work-life balance and trust you to take the time you need. Although we recommend 25 days per year, our vacation policy is unlimited. This is in addition to observing national holidays specific to your country of residence.

• 🌍 Diverse and Inclusive Team – Join our exceptional, diverse, and globally distributed team at Clerk. We are committed to fostering an inclusive environment where everyone can contribute their best in building impactful products and tools for the modern web.

Clerk is an equal opportunity employer that is committed to diversity and inclusion in the workplace. We prohibit discrimination and harassment of any kind based on race, color, sex, religion, sexual orientation, national origin, disability, genetic information, pregnancy, or any other protected characteristic as outlined by federal, state, local or national laws.

This policy applies to all employment practices within our organization, including hiring, recruiting, promotion, termination, layoff, recall, leave of absence, compensation, benefits, training, and apprenticeship. Clerk makes hiring decisions based solely on qualifications, merit, and business needs at the time.