Jump to content

Product Security Engineer @Fitbit

Recommended Posts

Fitbit is building a new security team in Bucharest. 


Full details here: https://grnh.se/gmt7lrkc1



Brief description of the job:

The application security team at Fitbit is responsible for overseeing the secure design and implementation of applications.

We do this by:

  • Consulting with software engineers to ensure the relevant controls are built into their work
  • Assessing software produced by Fitbit and its partners
  • Participating in the security community to understand new and emerging threats

We try to find achieve our mission through innovative ways of collaborating with our software teams that allow them to continue to deliver at scale and ve


What You’ll Work On:

  • Conduct threat modelling exercises
  • New security sensitive functionality (e.g. changes to authentication flows) require a security team member to be involved
  • New application infrastructure, e.g. entirely new SOA services required a feedback from a security engineer
  • Provide application security consulting to engineers
  • Perform manual and automated code review
  • Our goal is to automate us much of our role as possible
  • Create rules to help us to identify software that should be manually reviewed by a skilled application security engineer
  • Help enable self-service reviews for engineers
  • Work on tooling to expedite the process of doing software reviews
  • Perform ad-hoc application assessments
  • Assist with Fitbit’s Bug Bounty programs
  • Help with the replication, prioritization and filing of issues identified via our bug bounty programs
  • Assist with Fitbit’s developer outreach efforts
  • Share root cause analysis information with our outreach team to ensure we’re educating our engineers about common security pitfalls and how to avoid them


Required Skills:

  • Significant experience in application penetration testing and source code review
  • Knowledge of mobile and web application architecture
  • Ability to read and break code written in different languages, emphasis on Java
  • Strong understanding of applied cryptography
  • Strong understanding of web application security technologies like CORS, OAuth, JSONP and browser security concepts such as the same origin policy
  • Experience with static and dynamic application security tools
  • A passion for security and technology
  • Experience in a variety of software development environments and knowledge of contemporary agile software development methodologies
  • Experience with test-driven development and other agile practices
  • Broad knowledge of all areas of information technology including networking, operating systems and ideally application development
  • Strong software development skills in at least one language
  • Aspires to develop a deep understanding of information security
  • Experience as a system administrator or security engineer
  • Experience with managing information security incidents
  • Solves problems through scripting and automation
  • Willing to learn new things
  • Willing to look at for innovative or non-standard solutions to problems
  • Good sense of humor
  • Calm under pressure
  • Good time management skills
  • Interactions with other teams
  • The application security team is responsible for consulting with software engineering teams about the best and safest way to implement their features. They are also responsible for reviewing the output of software engineering teams for safety.
  • As such, strong interpersonal skills are required. This person needs to be able to diplomatically provide software engineers with advice, and to coach developers through problems that may be identified in their work.
  • The successful applicant will be able to positively influence software engineers’ behaviour through their interactions.


Nice-to-Have Skills:

  • Have a strong development background
  • Background in infrastructure penetration testing
  • Experience with compliance such as PCI and/or ISO27000
  • Experience with exploit/proof of concept development
  • Experience in information security consulting
  • Experience in in-house application security teams at larger technology companies with a reputation for security engineering
  • Had incident response experience
  • Developed tooling to automate information security tasks
  • Have a wide knowledge from diverse parts of IT
  • Worked on open source security projects
Edited by crash4g
updated link
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...