Uncubed
           

Product Security Engineer

Fitbit, US - San Francisco

Stay motivated and improve your health by tracking your activity, exercise, food, weight and sleep


At Fitbit, our mission is to help people lead healthier, more active lives by empowering them with data, inspiration and guidance to reach their goals.

We started our journey in 2007—as a team of two with one big idea. Since then, we’ve grown to over 1,500 employees, sold over 60mm devices, and built a health and fitness community across the globe.  In fact, the Fitbit Community has taken enough steps to walk from the Sun to Pluto!  Offering award-winning products, a top-rated mobile app and an easy-to-use online dashboard, Fitbit provides personalized experiences that help our users reach their goals. With a reenergized focus on innovative devices, interactive experiences, and enterprise health we are transforming the way consumers and businesses see health & fitness.

From your first steps as a Fitbitter, you will be at the forefront of developing new products. Our culture combines the spirit of startup with the perks of being public. We offer a competitive benefits package and amazing perks like unlimited snacks, Friday happy hours, onsite workout classes, and a strong focus on a healthy work-life balance. As part of our team, you’ll have the opportunity to grow your career, contribute your ideas to life-changing products and services, and—above all—have fun doing it.

Fitbit’s HQ campus is located in the heart of San Francisco with office locations in Boston, San Diego and around the world. Think you’ve found your fit?

Fitbit is looking for a Senior Product Security Engineer. Product security engineers are the face of our product security team. They are the primary interface that product and engineering teams have with the security team. They use a collaborative approach to ensure that teams know how to engage with the information security team and to get those teams timely, relevant, pragmatic, actionable advice. They understand how software and products are created, understand the challenges in delivering great products and services, and have empathy for the people making those products.

Product security engineers should be able to speak intelligently about the entire technology stack being used at Fitbit: from firmware on our devices, through our mobile applications and into cloud software and infrastructure. The goal is not for product security engineers to be experts in every part of this stack, but they do need to have sufficient knowledge to be able to give quick and sensible initial feedback on any part of the stack, and to back this up with research from a more experienced colleague on the team.

We also expect all product security engineers to be a subject matter expert in one area and to take responsibility for that area within the product security team. Product Security engineers aim not only to identify and eliminate security vulnerabilities in our products and services but to identify the root causes of these issues,  helping to address them via e.g. training and awareness initiatives or automation and tooling.

Ideal candidates may come from many different backgrounds, e.g. you may be a software engineer who is passionate about security, you may be a bug bounty participant, you may have worked on other product security teams or you may be a recovering security consultant.

Team Deliverables

Senior Product Security engineers are leaders within the product security team that assist with the scoping, coordination and delivery of these services. They also mentor other team members to ensure they are delivering these services in line with our team culture and practices.

The product security team is responsible for delivering the following services:

  1. Conduct threat modelling / adversarial thinking exercises
  2. Provide application security advice to engineers
  3. Perform manual and automated code review
    1. Our goal is to automate us much of our role as possible
    2. Create rules to help us to identify software that should be manually reviewed by a skilled application security engineer
    3. Help enable self-service reviews for engineers
    4. Work on tooling to expedite the process of doing software reviews
  4. Perform ad-hoc application security assessments
  5. Assist with Fitbit’s Bug Bounty programs
    1. Help with the replication, prioritization and filing of issues identified via our bug bounty programs
  6. Assist with Fitbit’s developer outreach efforts
    1. Share root cause analysis information with our outreach team to ensure we’re educating our engineers about common security pitfalls and how to avoid them
  7. Serve as a technical leader and mentor for other product security engineers

Expertise Required

Each product security engineer on our team brings a unique set of skills. The one skill they have in common is the ability to relate to software developers and provide suitable guidance. We expect every senior or principal product security engineer to be an expert in at least one of the following domains:

  • Operating Systems / Native Applications / Firmware - You understand memory corruption vulnerabilities, exploit mitigations, operating system internals and can comfortably navigate a C code base.
  • Web Application Security - You live and breathe XSS, XXE, SQLi, padding oracles and obscure logic bugs. , you understand modern web security controls such as CSP and Subresource integrity, you’re comfortable finding your way around a Java, NodeJS, Python, Ruby or Go codebase.
  • Mobile Application Security - You can find vulnerabilities in a certificate pinning implementation, you understand mobile IPC mechanisms, you’re comfortable finding your way around an Android or IOS code base.
  • Applied Cryptography - You understand common cryptographic mistakes, you can explain the difference between AES CBC and AES GCM modes.
  • Infrastructure & Cloud Security - You understand cloud security controls in GCP and AWS, you know how to harden a Linux system, you’re comfortable with infrastructure as code and tools such as ansible, puppet and terraform.
  • Hardware security - you can find and exploit JTAG headers on a board, you know how to dump flash, you understand hardware security protections.
  • Adversary Simulation / Red Teaming  

 Fitbit is proud to be an equal opportunity employer. We recruit, hire, train, promote, pay, and administer all personnel actions without regard to race, color, ancestry, national origin, citizenship, religion, age, sex (including pregnancy, childbirth, and medical conditions related to pregnancy, childbirth, or breastfeeding), sex stereotyping (including assumptions about a person’s appearance or behavior, gender roles, gender expression, or gender identity), sexual orientation, gender, gender identity, gender expression, marital status, medical condition, mental or physical disability, military or veteran status, genetic information or other statuses protected by law. We interpret these protected statuses broadly to include both the actual status and any perceptions and assumptions made regarding these statuses.

San Francisco applicants:  Pursuant to the San Francisco Fair Chance Ordinance Fitbit will consider for employment qualified applicants with arrest and conviction records.

About Fitbit

We're a passionate team dedicated to health and fitness who are building products that help transform people's lives. While health can be serious business, we feel it doesn't have to be. We believe you're more likely to reach your goals if you're encouraged to have fun, smile, and feel empowered along the way.

Want to learn more about Fitbit? Visit Fitbit's website.