Coinbase’s mission is to build an open financial system, and our Security Team serves a vital role ensuring that system stay safe. On behalf of our customers, we store and manage more digital currency than any company in the world. The Product Security team exists to protect our outermost surface area to that digital currency: the web and mobile apps our customers use and love every day. Part Architect, part Engineer, part Evangelist, and part traditional Application Security, the Product Security team is tasked with doing what’s right to help the Product Engineering teams deliver default Secure products.

Responsibilities:

• You will be working closely with a handful of product teams, helping them ship default secure, default private features and products.

• As appropriate, you will be doing Architecture reviews and Threat Modeling of critical engineering work

• You will help us scale the capacity and capability of the security team through automation, documentation, and safe default templating. One of our mottos is ‘Never the same bug twice’. This is, undoubtedly, the most important way for us to scale default safely.

• As developers interact with critical code paths, you will be asked to provide code reviews and feedback on the proposed changes.

• You will review, pentest, and analyze existing code bases to uncover vulnerabilities, and help teams fix the bugs you find.

• Based out of Chicago, we expect you to be working quite closely with our Markets team as they build the next iteration of our Coinbase Pro backends.

Requirements: 

• Programming experience or ability in one of our core languages. At current inventory, we use Ruby (Sinatra & Rails), Golang, JavaScript (Server & client flavors), Java/C++ (physical trading engine stack), Python (Data/ML stack), and Swift/Kotlin (among others for the mobile stack). You don’t need to be a whiz, but we expect you to be able to write enough to push out fixes and simple features.
• Fluency in a risk and threat modeling methodology. You don’t need to be able to rattle off everything in the CWE as you iterate through STRIDE, but structure and fluidity in your analyses will really help you communicate efficiently across teams.
• Mobile or Web Application Security experience. Be it source code audit, penetration testing, bug bounty triage, or code reviews, you’ll be expected to examine code with security critical eyes.
• Strong written and verbal communication skills, specifically on security topics. The work our team does is consumed by a startling number of audiences, so being able to effectively communicate across those people will be invaluable in stopping confusion and saving roundtrips.

Coinbase is committed to diversity in its workforce and is proud to be an equal opportunity employer. Coinbase does not make hiring or employment decisions on the basis of race, color, religion, creed, gender, national origin, age, disability, veteran status, marital status, pregnancy, sex, gender expression or identity, sexual orientation, citizenship, or any other basis protected by applicable local, state or federal law. Coinbase will also consider for employment qualified applicants with arrest and conviction records in a manner consistent with San Francisco’s Fair Chance Ordinance and similar local laws.