Senior Product Security Engineer

StubHub is on a mission to redefine the live event experience on a global scale. Whether someone is looking to attend their first event or their hundredth, we’re here to delight them all the way from the moment they start looking for a ticket until they step through the gate. The same goes for our sellers. From fans selling a single ticket to the promoters of a worldwide stadium tour, we want StubHub to be the safest, most convenient way to offer a ticket to the millions of fans who browse our platform around the world. StubHub's Product Security Engineering Team is seeking a Senior Engineer to enhance our security posture within the end user and services product domain. The perfect candidate will possess experience in CI/CD pipeline security, product and application architecture reviews, contextualized vulnerability management processes, and automation. Location: Hybrid (3 days in office/2 days remote) – New York, NY or Century City , CA About the team: StubHub’s Product Security Engineering Team plays a critical role in securing the platforms that power the world’s largest ticket marketplace. This team works hands-on with cutting-edge tools and cloud-native technologies to embed security into every layer of the software development lifecycle—from architecture to automation. If you're passionate about offensive security, CI/CD hardening, and driving real impact across modern product teams, this is your opportunity to lead and innovate at global scale. What You’ll Do: Conduct security assessments, code reviews, and penetration tests on web applications, APIs, and mobile apps to identify vulnerabilities and flaws. Collaborate with development teams to embed security into CI/CD pipelines, including the implementation of automated code scanning tools. Develop and maintain secure coding guidelines and conduct security awareness training for developers. Respond to security incidents, perform root cause analyses, and recommend effective remediations. Stay current on emerging security threats, vulnerabilities, and mitigation strategies; proactively share insights across teams. Help develop and enforce application security policies, standards, and procedures aligned with industry regulations and best practices. Conduct architectural reviews to ensure the security of new technologies and controls. Build and maintain robust product vulnerability management processes and procedures. Write and maintain production-grade APIs to automate security processes and streamline infrastructure and developer workflows. Triage and respond to findings from StubHub’s enterprise Bug Bounty program. What You’ve Done: Demonstrated expert-level understanding of offensive web application security testing and defense-in-depth remediation strategies. Expert-level skills in vulnerability assessments and code reviews. Extensive experience with automated security testing tools (e.g., Burp Suite, OWASP ZAP, Snyk). Strong communication skills, with the ability to convey complex security concepts to both technical and non-technical audiences. Hands-on experience in applied cryptography and key management. Proven ability to implement SAST, DAST, and SBOM tooling within development workflows. Experience in performing structured threat modeling (e.g., STRIDE, PASTA). Intermediate proficiency in at least one scripting language (e.g., Python, Ruby). Familiarity with security frameworks such as PCI DSS, CIS, ISO 27001, and NIST CSF. Preferred Skills and Qualifications: Industry-recognized security certifications (e.g., OSCP, CEH, CISSP, GWAPT). Intermediate-level experience with cloud security principles and technologies in AWS and Azure. Understanding of Kubernetes security fundamentals, including the use of admission controllers, network policies, role-based access control (RBAC), and ingress architecture design. Software development experience in Java C#. What We Offer: Accelerated Growth Environment : An environment designed ... (truncated, view full listing at source)