As a Security Engineer in the Mercari Security Engineering Team, you will perform security design and process reviews as well as develop and deploy security countermeasures, and execute penetration tests. This is a unique role within Mercari since you will be involved in high-stakes projects across the organization. In addition, you will help us ensure the integration of and compliance with security best practices, frameworks, and regulations in these projects.
Mercari follows the philosophy of “security as code”, so our security engineers are expected to automate and optimize the solutions they develop. That’s why we are looking for people passionate about automation to join our team! Specifically, you will:
- Review system designs to define necessary security requirements based on threat evaluation and attack trees.
- Review architecture proposals, such as infrastructure or information flows, and propose security controls to minimize risks.
- Conduct vulnerability assessments and penetration testing on Mercari’s production and corporate infrastructure.
- Automate security controls and monitoring.
- Develop technical solutions to help mitigate security vulnerabilities.
- Maintain technical & security standards for production and corporate infrastructure services.
- Educate engineering teams on security practices with hands on workshops, tech talks, and lectures.
- Participate in the incident response process, identify remediation actions and deploy countermeasures.
- Collaborate with information security officers, the legal team, and internal auditors on technical security matters.
Bold Challenges
- Security Engineers at Mercari are responsible for dealing with a vast array of data, logs, and dependencies. You will be able to use cutting-edge and complex cloud infrastructure systems to help us tackle unknown issues.
- With rapidly growing organizations and services, it is extremely important for Mercari to introduce automation and stop depending on manual work as much as possible. This is an exciting opportunity to gain experience helping us build our security systems and solve issues in a fast-paced environment.
Requirements
- 4+ years of experience in security domains
- Programming experience with one or more programming languages including but not limited to: Go, Python, PHP, Javascript
- Public cloud infrastructure platforms (GCP, AWS and Azure), as well as container technologies (Docker, Kubernetes)
- Penetration testing, web application security testing, vulnerability scanning, threat-based infrastructure risk assessment
- Security automation and DevSecOps methodologies
- Corporate security solutions (DLP, IAM, MDM, Endpoint security/EDR, CASB, ZeroTrust, MFA)
- Implemented security controls based on security frameworks and regulations (ISO27001, PCI-DSS, CCPA)
- Key management and applied cryptography (TLS, PKI, KMS, blockchain, data encryption)
Nice to haves
These aren’t required, but be sure to mention them in your application if you have them.
- Bachelor’s degree in Computer Science or equivalent practical experience
- Recognized security certifications (CISSP, OSCP, GIAC)
- Experience leading or investigating in incident handling cases, performed computer forensic investigations, or malware analysis
- Good understanding of modern web application architecture
- Experience with software development tools, such as version control systems, integrated development environments (IDE), and CI/CD tools
- SQL Querying (BigQuery, Mysql)
- Effective interpersonal and communication skills