Senior Product Security Engineer

StubHub's Product Security Engineering Team is seeking a Senior Engineer to enhance our security posture within the end user and services product domain. The perfect candidate will possess experience in CI/CD pipeline security, product and application architecture reviews, contextualized vulnerability management processes, and automation. 

Location: Hybrid (3 days in office/2 days remote) – New York, NY or Century City, CA 

StubHub’s Product Security Engineering Team plays a critical role in securing the platforms that power the world’s largest ticket marketplace. This team works hands-on with cutting-edge tools and cloud-native technologies to embed security into every layer of the software development lifecycle—from architecture to automation. If you're passionate about offensive security, CI/CD hardening, and driving real impact across modern product teams, this is your opportunity to lead and innovate at global scale.

• →Conduct security assessments, code reviews, and penetration tests on web applications, APIs, and mobile apps to identify vulnerabilities and flaws. 
• →Collaborate with development teams to embed security into CI/CD pipelines, including the implementation of automated code scanning tools. 
• →Develop and maintain secure coding guidelines and conduct security awareness training for developers. 
• →Respond to security incidents, perform root cause analyses, and recommend effective remediations. 
• →Stay current on emerging security threats, vulnerabilities, and mitigation strategies; proactively share insights across teams. 
• →Help develop and enforce application security policies, standards, and procedures aligned with industry regulations and best practices. 
• →Conduct architectural reviews to ensure the security of new technologies and controls. 
• →Build and maintain robust product vulnerability management processes and procedures. 
• →Write and maintain production-grade APIs to automate security processes and streamline infrastructure and developer workflows. 
• →Triage and respond to findings from StubHub’s enterprise Bug Bounty program. 

• →Demonstrated expert-level understanding of offensive web application security testing and defense-in-depth remediation strategies. 
• →Expert-level skills in vulnerability assessments and code reviews. 
• →Extensive experience with automated security testing tools (e.g., Burp Suite, OWASP ZAP, Snyk). 
• →Strong communication skills, with the ability to convey complex security concepts to both technical and non-technical audiences. 
• →Hands-on experience in applied cryptography and key management. 
• →Proven ability to implement SAST, DAST, and SBOM tooling within development workflows. 
• →Experience in performing structured threat modeling (e.g., STRIDE, PASTA). 
• →Intermediate proficiency in at least one scripting language (e.g., Python, Ruby). 
• →Familiarity with security frameworks such as PCI DSS, CIS, ISO 27001, and NIST CSF.

• Industry-recognized security certifications (e.g., OSCP, CEH, CISSP, GWAPT). 
• Intermediate-level experience with cloud security principles and technologies in AWS and Azure. 
• Understanding of Kubernetes security fundamentals, including the use of admission controllers, network policies, role-based access control (RBAC), and ingress architecture design. 
• Software development experience in Java & C#.