Security Engineer

Role Overview

As a Security Engineer on Zoom’s Security Architecture team, you will drive security design and reviews across Zoom’s products and services. You’ll partner with engineering teams to design, implement, and validate secure solutions, acting as a trusted advisor for architecture and feature security enhancements.

Responsibilities

• Serve as a security subject-matter expert for end-to-end secure system design and implementation.
• Perform threat modeling, architecture reviews, security code reviews, security assessments, and security testing across:
  • Web applications, native applications, web services
  • Cloud-based services and infrastructure
• Conduct cloud infrastructure security reviews, with emphasis on AWS permissions and configuration (e.g., IAM and S3).
• Perform deep security reviews of new Zoom features and functionality, including:
  • Vulnerabilities aligned to OWASP Top Ten
  • Common issues from NVD
  • Risk identification such as RCE
• Review Java or Python code and verify security posture using manual and automated testing with tools like Burp Suite and Coverity.
• Identify gaps in existing cloud security architecture design/configuration and recommend improvements such as:
  • Authentication, authorization
  • Network segmentation
  • Container configuration
  • Bastion host setup
• Provide hands-on security training and secure coding best practices to engineering teams.

Requirements

• 5+ years in security, plus a Bachelor’s degree in Computer Science/related fields (or equivalent).
• Extensive experience in security testing across web apps, native apps, distributed systems, and cloud infrastructure (AWS).
• Strong foundation in software security architecture, design, threat modeling, secure code review, cryptography, and the SDLC.
• Ability to clearly communicate best practices and effective mitigations, including handling SDLC exceptions.
• Hands-on AWS security experience with common AWS service components.
• Ability to identify design and configuration security gaps.
• In-depth knowledge of network-, system-, and application-layer attacks and mitigations.
• Good knowledge of areas including network/application security (OWASP), infrastructure hardening, security baselines, web server and database security, and applied cryptography.
• Development experience in Java (required).

Compensation

• Minimum: $98,900 (annual)
• Maximum: $228,700 (annual)
• Total direct compensation may include bonus and equity, with pay commensurate to qualifications and experience.