Senior Security Engineer - remote

The New York Times
Posted 3 years ago
As a member of the DevSecOps team, your day to day job would include evaluating the current Application environments, development procedures and evolving them to be more secure and compliant states. You will also be a part of a team responsible for building platforms that ensure that the various systems at The New York Times continue to operate in a reliable and efficient manner.  This position reports to the Director of Security Architecture in the Information Security organization.

Who are we?
Information Security helps prevent The Times from becoming news.
Our team works to protect the news makers, their support staff and the platforms which they rely on every day as well as all of The Times products and services and our readers who consume them.

Responsibilities
  • Create an environment that favors context not control.  Empower engineers and ensures they have the relevant information and tools to deliver secure products and services 
  • Create DevSecOps standard operating procedures and best practices 
  • Identify nuanced vulnerabilities in CI/CD pipeline systems
  • Coordinate with customer teams to streamline code deployment process
  • Improve usability, efficiency, security, reliability, and performance of customer software development efforts
  • Develop mitigation strategies for keeping our customers safe
  • Develop comprehensive reports and presentations for our customers
  • Be part of a cross organizational team responsible for designing and promoting secure architectures and development practices.
  • Building secure environments with infrastructure as code principles
  • Provide mentoring and evangelize best practices to the product development teams.
  • Contribute to automating security principles and checkpoints into the CI/CD pipeline and containerization process
  • Analyze and harden existing infrastructure, automation, application coding and DevOps process
  • Collaborate effectively with other teams including Engineering leads, Compliance and product development teams to implement best practices, remediate vulnerabilities, educate employees, and keep the customer data safe.
  • Operating and being on-call for infrastructure such as Vault, Consul and Twistlock. 

Required Experience
  • 5+ years experience in development operations and/or security engineering space
  • Understanding of security controls across all security domains such as access management, encryption methods, vulnerability management, network security and authentication
  • Knowledge of one or more cloud platforms (AWS, GCP) and best practices for architecting security and guardrails into those platforms
  • Good understanding of modern software development practices such as CI/CD and shifting security to left
  • Working experience with containerization and orchestration platforms
  • A bias towards helping people. Many teams will rely upon you for help to build their systems.

Nice to Have
  • Security/Compliance or DevOps certifications
  • Programming in Go/python on a production application
  • Experience with Terraform and Packer
  • Experience with Continuous Integration and Continuous Delivery techniques and tooling

Some of the tech we use
Go, Bash, AWS, GCP, Terraform, Packer, Docker, Kubernetes, Vault, Consul, Drone, Checkmarx