Mercari is a marketplace app that makes it easy for people to safely sell and ship their things. Having been downloaded over 100 million times, it is now among the largest peer-to-peer selling platforms globally.
Though we have over 1,800 employees, we still have a startup culture, where we encourage people to come up with big, crazy ideas, and to not be afraid of failure. Because the company is rapidly growing, you can set your own path, and there is enough transparency to allow our members to do so. For instance, at our all-hands meetings, every single member is encouraged to ask questions directly to our executive team.
We’re a Japanese company, but are building a global work culture, and so we provide a great opportunity to experience a blend of Japanese and international culture. We relocate developers from around the world to join our team, and provide translation and interpretation to smooth communication between members.
We want our employees to be able to give 100% both inside and outside of the office, and our benefits reflect this. These include providing language education, financial support for childcare, and allowing you to pursue paid side gigs outside of working with us.
Our response to COVID-19
In response to COVID-19, Mercari began its work-from-home policy on February 19, 2020. On September 1, 2021, Mercari introduced a work style policy called “Your Choice.” Each member is free to choose whether they want to work in the office or work fully remote.
About the position
As a Security Engineer in the Mercari Security Engineering Team, you will perform security design and process reviews as well as develop and deploy security countermeasures, and execute penetration tests. This is a unique role within Mercari since you will be involved in high-stakes projects across the organization. In addition, you will help us ensure the integration of and compliance with security best practices, frameworks, and regulations in these projects.
Mercari follows the philosophy of “security as code”, so our security engineers are expected to automate and optimize the solutions they develop. That’s why we are looking for people passionate about automation to join our team! Specifically, you will:
- Review system designs to define necessary security requirements based on threat evaluation and attack trees.
- Review architecture proposals, such as infrastructure or information flows, and propose security controls to minimize risks.
- Conduct vulnerability assessments and penetration testing on Mercari’s production and corporate infrastructure.
- Automate security controls and monitoring.
- Develop technical solutions to help mitigate security vulnerabilities.
- Maintain technical & security standards for production and corporate infrastructure services.
- Educate engineering teams on security practices with hands on workshops, tech talks, and lectures.
- Participate in the incident response process, identify remediation actions and deploy countermeasures.
- Collaborate with information security officers, the legal team, and internal auditors on technical security matters.
- Security Engineers at Mercari are responsible for dealing with a vast array of data, logs, and dependencies. You will be able to use cutting-edge and complex cloud infrastructure systems to help us tackle unknown issues.
- With rapidly growing organizations and services, it is extremely important for Mercari to introduce automation and stop depending on manual work as much as possible. This is an exciting opportunity to gain experience helping us build our security systems and solve issues in a fast-paced environment.
- 4+ years of experience in security domains
- Public cloud infrastructure platforms (GCP, AWS and Azure), as well as container technologies (Docker, Kubernetes)
- Penetration testing, web application security testing, vulnerability scanning, threat-based infrastructure risk assessment
- Security automation and DevSecOps methodologies
- Corporate security solutions (DLP, IAM, MDM, Endpoint security/EDR, CASB, ZeroTrust, MFA)
- Implemented security controls based on security frameworks and regulations (ISO27001, PCI-DSS, CCPA)
- Key management and applied cryptography (TLS, PKI, KMS, blockchain, data encryption)
Nice to haves
These aren’t required, but be sure to mention them in your application if you have them.
- Bachelor’s degree in Computer Science or equivalent practical experience
- Recognized security certifications (CISSP, OSCP, GIAC)
- Experience leading or investigating in incident handling cases, performed computer forensic investigations, or malware analysis
- Good understanding of modern web application architecture
- Experience with software development tools, such as version control systems, integrated development environments (IDE), and CI/CD tools
- SQL Querying (BigQuery, Mysql)
- Effective interpersonal and communication skills