Senior Product Security Engineer, Reviews

As a Senior Product Security Engineer, you will play a key role in securing Okta’s products by independently conducting security reviews, penetration tests, and threat modeling for new features and existing services. You will proactively identify security risks, influence engineering teams, and propose solutions to improve security posture.

This role requires a strong technical background in web application security, authentication protocols, and vulnerability analysis. You should be comfortable working autonomously on security projects, and collaborating with engineers.

A successful candidate will have an attacker mindset—the ability to think like an adversary when assessing risks, identifying vulnerabilities, and designing mitigations. You will also have opportunities to contribute to security tooling, automation, and external security research.

Job Duties and Responsibilities:

• Own and drive security reviews, including threat modeling, secure code reviews, and penetration testing for new and existing products.
• Independently identify, analyze, and mitigate security vulnerabilities, working closely with engineering teams.
• Propose and implement security improvements, balancing risk, impact, and business objectives.
• Assist in handling security incidents, conducting root cause analysis, and providing remediation guidance.
• Develop security tools and automation to improve vulnerability detection and assessment.
• Contribute to security research and participate in external engagements such as blog posts, white papers, and conference presentations.

Required Knowledge, Skills, and Abilities:

• Strong knowledge of application security principles, including OWASP Top 10 and CWE Top 25 vulnerabilities.
• Experience performing manual secure code reviews across multiple languages (Java, .NET, Go, C, C++, Python, Swift, Kotlin).
• Proficiency in penetration testing techniques and tools like Burp Suite.
• Understanding of authentication and authorization protocols (OIDC, SAML, OAuth).
• Ability to independently drive security initiatives and provide clear remediation strategies.
• Solid coding skills in at least one scripting or programming language (Python, Bash, etc.).
• Strong ability to communicate security risks and solutions to engineering teams and leadership.

 Desired skills and Abilities:

• Experience with mobile application security testing (Android/iOS).
• Familiarity with SAST, DAST, SCA, and fuzzing tools.
• Knowledge of cryptographic principles and secure implementations.
• Understanding of network security, protocol analysis, and threat modeling.
• Experience writing proof-of-concept scripts to demonstrate vulnerability exploitation.

#LI-Remote

#LI-SH1