• Location
    • New York
  • Date Posted
  • 09 Jun 2020
  • Function
  • Tech Ops
  • Sector
  • Retail


We’re hiring our first Security Engineer to build a robust security discipline for our application development and cloud infrastructure. You’d join our Technology team, working closely with site reliability and performance engineers to ensure Glossier keeps our customer’s trust.

You’d continuously improve our engineering practices and tooling to help us deliver a secure and reliable e-commerce experience.

  • 6 Month Expectations:
  • Implement controls to ensure AWS IAM roles and Security groups are configured appropriately.
  • Review our configuration management practices, and help implement new tools and practices to enable the engineering team to configure new environments quickly, reliably, and securely.
  • Manage our bug bounty program, working with Product Managers and Tech Leads to ensure issues are triaged and fixed appropriately.
  • Conduct penetration tests of glossier.com and other key business applications.
  • Conduct due diligence with potential vendors to ensure they have appropriate security practices.
  • Consult with engineers implementing new features and architectural patterns as a Subject Matter Expert on AppSec.
  • Build threat models, and train the tech team on how to use them when developing new features.
  • Conduct security reviews on new systems and architectural patterns being introduced at Glossier.
  • 12+ Month Expectations:
  • Create policies and tools to ensure new services can easily follow recommended security practices, such as least-privileged access, audit trails for sensitive actions, and centralized logs for investigating incidents.
  • Build cloud governance tooling to automatically monitor and enforce our AWS security policies.
  • Implement a set of automated scanning and reporting tools to ensure software dependencies are kept up to date, and source code is statically analyzed for vulnerabilities.
  • Facilitate red team and security incident response drills.

Our Technology Stack

  • Ruby and JavaScript on the backend
  • GraphQL for our API
  • React and Apollo on the frontend
  • AWS to host our infrastructure
  • Postgres, Redis, DynamoDB, and Redshift as our data stores
  • Swift for our retail point-of-sale application
  • Datadog and PagerDuty for monitoring and alerting

Our Ideal Candidate

  • Has 3+ years of security engineering experience, preferably at a high-growth tech company
  • Has written code to fix web app vulnerabilities, patched dependencies, and configured production cloud infrastructure
  • Is comfortable programming with Ruby or Javascript
  • Is comfortable participating in our on-call rotation (we get about 1 page per month outside of regular work hours)
  • Has implemented frameworks and tooling to continuously monitor for security vulnerabilities
  • Is an effective communicator to help other stakeholders understand security concerns
  • Can appropriately align security goals with business value and make effective tradeoffs
  • Can incrementally deliver value

About Glossier

Glossier is a beauty company that lives in NYC, is sold on the internet, and promotes a skincare first philosophy that celebrates beauty in real life.