To get the best candidate experience, please consider applying for a maximum of 3 roles within 12 months to ensure you are not duplicating efforts.
Products and Technology
The Reference Designs, Security Controls, and Architecture (REDSCAR) Team is focused on reducing the security risk and systemic security issues in Salesforce infrastructure and products. This is executed by developing and publishing reference architecture (patterns), supporting documentation that demonstrates how to use and implement security controls correctly on Premise (1P) and in Public Cloud (e.g. AWS, Azure), and guardrails that allow us to reduce risk at scale. There is a lot of complexity driven by the inherent technical debt , but we succeed by influencing, advocating, and promoting technology transfer of the patterns we produce to all our stakeholders (both internal and to CISO org). Our vision is that our solutions are widely accepted and adopted throughout the company and a laser focus on success is maintained in this area through influence and advocacy. We believe that in all cases, workable implementations are the one of most influential ways to drive change within our organizations.
While we are involved and are driving efforts across multiple platforms with a specific focus being on Infrastructure Security, currently, there is an emerging need to enhance our coverage and engagement around security controls for Alibaba as well as Application Security.
In addition, there is a need to transition our immediate organization to a unified risk rating framework and e stablish a cross-organizational program to design and conduct periodic assessments of common security controls at Salesforce. Effectiveness assessments must be able to effectively and efficiently determine the operational effectiveness of common controls and their extent of adoption at Salesforce to clearly depict which level of effectiveness each control falls under (inoperative, inadequate, adequate, effective, optimized). The results of the assessment are considered to be critical as they will allow the entire organization to drive consistency when determining inherent risk and will be used to prioritize future investments. They will need to be communicated to a wide range of stakeholders including the leadership team.
Finally, there is a strong need to reduce systemic security risks at scale. Focusing on the most prevalent vulnerability classes and identifying scalable ways to reduce security risks at scale through process, tooling, policy, architecture, and/or training enhancements is crucial for managing risk and inherent technical debt.
Cloud Security Role Must-Have:
- Significant demonstrated experience architecting and developing security solutions during the secure software development lifecycle program or secure lifecycle improvement efforts
- Experience working in high velocity distributed software development organizations e.g. Facebook, Netflix, AirBnB, Amazon, Google, etc.
- Involvement in one or more non-trivial public cloud migration programs in the past 5 years where you designed and developed solutions to support this effort
- Experience developing mitigations to OWASP Top 10 Security vulnerabilities and/or WASC 25 Security Vulnerabilities
- Strong understanding of application security controls and their implementation at scale (e.g. SAST, DAST, security libraries, 3rd part libraries, software supply chain vulnerability management)
- An ability to translate from compliance and security requirements through product requirements and implement them in automation
- Demonstrated experience establishing and leading cross-functional programs
- Ability to adapt to evolving security and business priorities quickly and effectively
- You understand penetration testing methodologies and defensive implementations to mitigate these concerns
Data Security Role Must-Have
- Significant modern infrastructure and application development using public cloud primitives. You should be familiar with K8s, Serverless Architecture, Infrastructure as Code tools like Terraform, Ansible, Chef, Puppet, SaltStack
- Demonstrated understanding and nontrivial development experience in AWS or Alibaba (experience with Azure and GCP is a plus)
- Experience building security tools for Continuous Integration (CI) and Continuous Deployment (CD) systems. Familiarity with DevSecOps principles for integrating security solutions in products like Jenkins, Spinnaker, Helm, at scale.
Nice to have:
- Experience developing mitigations to cryptography vulnerabilities in cryptography libraries and cryptography services.
- Experience driving remediation of cryptography debt at scale across organizations.
- Experience managing PKI infrastructure and demonstrated knowledge of PKI security best practices and standards.
- Familiarity with industry-standard data security practices as it pertains to data classification, and writing specifications and security models for large-scale data warehouses.
- Experience with implementing, contributing source code to, or wielding automated security assurance solutions in the public cloud (e.g. zelkova, open policy agent).
- Public profile and history of delivering talks and presentations at leading security conferences (e.g. USENIX, Enigma, AWS Re: Invent, CloudNative Computing Foundation) is a plus.
- A body of contributions to open source security projects that are related to the public cloud is a plus.
- Familiarity with cryptographic protocol analysis as a technique for identifying flaws in cryptographic protocols.
- You are comfortable/familiar with qualitative and or quantitative risk ranking approaches e.g. NIST, FAIR, etc.
- You are confident and have a track record of presenting and communicating to a wide audience including executives, developers, customers
If you require assistance due to a disability applying for open positions please submit a request via this Accommodations Request Form .
At Salesforce we believe that the business of business is to improve the state of our world. Each of us has a responsibility to drive Equality in our communities and workplaces. We are committed to creating a workforce that reflects society through inclusive programs and initiatives such as equal pay, employee resource groups, inclusive benefits, and more. Learn more about Equality at Salesforce and explore our benefits.
Salesforce.com and Salesforce.org are Equal Employment Opportunity and Affirmative Action Employers. Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender perception or identity, national origin, age, marital status, protected veteran status, or disability status. Salesforce.com and Salesforce.org do not accept unsolicited headhunter and agency resumes. Salesforce.com and Salesforce.org will not pay any third-party agency or company that does not have a signed agreement with Salesforce.com or Salesforce.org .
Salesforce welcomes all.
Pursuant to the San Francisco Fair Chance Ordinance and the Los Angeles Fair Chance Initiative for Hiring, Salesforce will consider for employment qualified applicants with arrest and conviction records.