Staff Security Engineer

Details

• Contribute to a roadmap that scales Box’s security capabilities across platform and product surfaces.
• Ship MVPs and iterate on security automation, including supply chain security, SDLC agents/controls, and developer-first guardrails.
• Partner with Assurance & Architecture Team and cross-functional teams (Product, Platform, Cloud, SRE, Developer Experience) to embed security into workflows and tooling.
• Drive a breaker–builder approach: identify attack paths, validate with experimentation and feedback, and operationalize secure product development at scale.
• Establish clear team operating mechanisms: prioritization, sprint/quarterly planning, metrics, and post-launch learning.
• Define and track KPIs and KRIs that show risk reduction, coverage, and developer experience improvements.
• Represent the team internally and in the community (e.g., open source, meetups), fostering a culture of learning and inclusion.
• Strong security engineering foundation with hands-on familiarity in at least two of: DevSecOps automation, software supply chain security (SBOM, signing, provenance), SDLC controls/agents, fuzzing, or application security tooling.
• Development skills in one or more languages (e.g., Python, Go, Java, or TypeScript) and a track record of building production systems.
• Builder mindset with the ability to turn ambiguous risk areas into pragmatic roadmaps, MVPs, and measurable outcomes.
• Comfortable with a breaker/attacker perspective to uncover weaknesses and a builder mindset to scale defenses through automation.
• Proven cross-functional collaborator who can influence without authority and partner across Product, Engineering, and Cloud/SRE.
• Data-driven decision-maker who defines success with metrics and iterates quickly based on signal.
• Excellent communicator in English; able to align global stakeholders across time zones.
• Preferred skills:
• Experience with SaaS at scale, developer platform/tooling, cloud-native environments, and contributions to open source or security communities.
• Familiarity with common tools or ecosystems (e.g., CI/CD, container registries, policy engines, SAST/DAST, package managers), and modern languages (e.g., Go, Python, Java).
• Experience with SaaS at scale, developer platform/tooling, cloud-native environments, and contributions to open source or security communities.
• Familiarity with common tools or ecosystems (e.g., CI/CD, container registries, policy engines, SAST/DAST, package managers), and modern languages (e.g., Go, Python, Java).