At PayPal (NASDAQ: PYPL), we believe that every person has the right to participate fully in the global economy. Our mission is to democratize financial services to ensure that everyone, regardless of background or economic standing, has access to affordable, convenient, and secure products and services to take control of their financial lives.
When applying for a job you are required to create an account, if you have already created an account - click Sign In.
Creating an account will allow you to follow the progress of your applications. Our system does have some requirements that will help us process your application, below are some guidelines for creation of your account:
- Provide full legal First Name/Family Name - this is important for us to ensure our future hires have the rightsystem set up.
- Please Capitalize first letter of your First and Last Name.
- Please avoid using fully capitalized text for your First and/or Last Name.
- NOTE: If your name is hyphenated or has multiple capitalization, please use the same format as your government ID.
Job Description Summary:
What you need to know about the role:
As a senior information security DevSecOps engineer on the PayPal Enterprise Cyber Security (ECS) team, you will be a key member of a technical and hands on security team tasked with implementing and integrating the security tools and platforms with recently acquired business units. These efforts currently support the Happy Returns and ChargeHound business units, their product offerings, and the cloud infrastructure/services used. This security engineering team is responsible for designing, deploying, implementing, automating, and operationalizing security infrastructure, platforms, and toolsets with our business units and their engineering and software development efforts to meet PayPal security outcomes and business goals. In this role you will report directly to the Head of Information Security for Happy Returns and ChargeHound and work not only with your teammates, but also cross-functionally with various teams within Happy Returns, ChargeHound, and PayPal on all things related to information security, cybersecurity, and information assurance/compliance. Due to breadth of partners, you will work with, inclusivity of ideas, perspectives, and our diversity are important values that we champion.
Job Description:Meet our team:
This role is with a relatively new, greenfield team composed of diverse individuals early in their career as well as seasoned veterans who have spent time fighting nation state actors (APTs), presented at DEFCON and other security conferences, conducted penetration tests on F100 companies, to helping companies restore and recover from data breaches. We are driven to learn, help each other grow personally & professionally, be inclusive, and help our business units, peers, and customers identify and manage their risks. We look forward to having you join us to round out the capabilities of our team, learn from you, and help you do the same.
This is a remote role in North America, working with remote team members in North America and peers around the world. When safe to do so and as business obligations require, some travel would be expected for real world incidents, site visits, practice exercises, meetings, conferences, and the like.Your way to impact
You will actively take part in and lead the hands-on efforts to help protect and defend our network boundaries, keep computer, network, and cloud systems hardened against malicious activity, and provide security services that protect extremely sensitive customer information. Our Security Engineers work hands-on with all layers and pieces of the technology stack, actively monitor our systems for attacks and intrusions in both on-prem and cloud environments. You will use your experience to own, facilitate, and drive the resolution of complex security incidents, the implementation of security toolsets, the automation and operationalization of these toolsets to maximize our risk management capabilities as well as our return of investment (ROI), address policy questions, and resolve security issues of a technical nature. Additionally, you will also work with our software engineers to proactively identify and fix security flaws and vulnerabilities in our product and platform. Our security engineers work on a broad set of efforts focusing on scaling and automating security infrastructure and processes. We solve user and corporate security concerns, investigate security incidents, perform security gap analysis, build and integrate systems, conduct applied research, and implement novel technologies and architecture to deal with enterprise security across a diversity of computing platforms such as mobile and cloud. Our focus is to assess the newly acquired business unit's security posture and toolsets, map out the needed capabilities while aligning with PayPal' standards and compliance obligations, and work with the various stakeholders to implement, operationalize, and optimize.What do you need to bring:
You should have at least 5 years of relevant industry experience in information security/cybersecurity. During that time, you should have hands on, in-depth experience, with a thorough understanding of the following:
- Using, managing, and securing popular cloud services and platforms that are SaaS, IaaS, etc.
- Security concepts in Heroku and AWS and with the available security tools, such as Inspector, GuardDuty, Macie, Config, CloudFormation, CloudWatch, CloudTrail, Trusted Advisor, WAF etc., while also being familiar with third party alternatives (and when it is beneficial to use them).
- How to administer and effectively manage monitoring and detection systems that are UNIX, Linux, and/or BSD based that are based in AWS or GCP.
- Computer networking, routing, and protocols
- Deploying Identity and access management services including Single Sign On (SSO) frameworks and mechanisms such as OAuth, SCIM, and SAML.
- How legitimate users administer, use, and secure common consumer and enterprise network devices and systems, and how malicious actors exploit them.
- Log management and security analytics tools, including open source and commercial platforms/toolsets.
- Implementing, Integrating, and tuning network and cloud security infrastructure, applications (web and mobile), as well as security tools and platforms, and the automation to operationalize them
- Integrating security in the continuous integration, continuous delivery, and continuous deployment (CI/CD) pipeline for Networking as Code (NaC) and Infrastructure as Code (IaC) (running unit tests, running security tools, managing secrets using tools such as Vault) using configuration management and automation tools such as Jenkins, Chef, Ansible, Puppet, Terraform, etc.
- Experienced with using Regular Expressions (REGEX) as well as with automation and development leveraging Python, Networking as Code (NaC) such as Terraform, Infrastructure as Code (IaC), and Golang.
- The ability to monitor, evaluate, and interpret vulnerabilities/CVEs, vulnerability, risk, and security assessments, cloud platform/system/device/IDS/IPS logs, and threat analysis.
- Proven methods for analyzing and interpreting information from Security Operations Centers (SOCs), Computer Security Incident Response Teams (CSIRTs), or SecOps systems
- Knowledgeable about and able to apply open-source and proprietary information within the industry.
- Excellent oral and written communications skills for working with a diverse professional clientele with varying levels of technical experience. Ability to interact with internal and external customers, leadership, and co-workers both in person, virtually, and in writing.
- Ability to research highly technical topics and derive logical conclusions using well thought out processes, eliminating bias and logical fallacies.
- Ability to combine information from various sources into clear, concise technical documents that explain the background and procedures for detecting and mitigating risk.
- Working with and in O365, or the ability & willingness to learn the platform and applications.
- During your career you should have been exposed to and have an understanding of:
+ Security monitoring and intrusion detection,
+ Managing the information security incident lifecycle, including incident response, mitigation, forensics, after-action reporting, and mapping a path forward.
+ Secure network design
+ Information security architecture, mitigation of threats, and compensating controls.
+ Applied cryptography and security protocols
+ Penetration testing and red teaming
+ Enterprise risk management programs, including internal audits, consulting engagements, information technology reviews, audit, and compliance efforts.
+ Implementing and working with industry standards and guidelines relevant to the role and our industry, such as ISO, ITIL, NIST, SANS, CIS, ACIPA SOC1/SOC2/SOC3, and PCI.
- Have a willingness and desire to learn.
- Possess and nurture a hacker mentality: Being able to visualize issues and possible solutions outside the box.
- Must be a conscientious, punctual, professional, and devoted member of our team having the highest level of ethics and core values; with the ability to safeguard sensitive, restricted, and other information deemed to have special handling and dissemination protocols.
- Strong bias for action and ownership.
- Have proven abilities to work cross functionally and delivery results, with the perspective that no project is too big or too small.
- Effective when working under pressure and good enough to make sure that rarely happens.
- Bachelor's degree, a combination of experience and/or Associates degree, or an equivalent combination of education, training, and work or volunteer experience. Note that all degrees must be from an accredited institution and in a technical discipline or significant coursework in software development, information security, risk management, or information technology is preferred.
- Having (or planning to have) information security and technology related certifications are a plus. Examples of such certifications would include:
+ Any of the AWS certifications
+ Certificate of Cloud Security Knowledge (CCSK) from the Cloud Security Alliance (CSA).
+ PDSO DevSecOps Professional (CDP)
+ PDSO DevSecOps Expert (CDE)
+ PDSO DevSecOps Leader (CDL)
+ PDSO Container Security Expert (CCSE)
+ PDSO Threat Modelling Professional (CTMP)
+ PDSO Cloud Native Security Expert (CCNSE)
+ SANS GIAC Information Security Professional (GISP),
+ SANS GIAC Certified Web Application Defender (GWEB),
+ SANS GIAC Python Coder (GPYC),
+ SANS GIAC Public Cloud Security (GPCS),
+ SANS GIAC Continuous Monitoring Certification (GMON),
+ SANS GIAC Defensible Security Architecture (GDSA),
+ SANS GIAC Defending Advanced Threats (GDAT),
+ SANS GIAC Enterprise Vulnerability Assessor (GEVA),
+ SANS GIAC Cloud Security Automation (GCSA),
+ SANS GIAC Cloud Security Essentials (GCLD),
+ SANS GIAC Critical Controls Certification (GCCC).
Note that the ability to articulate and demonstrate skills are as or more important than the certifications or the education.
We know the confidence gap and imposter syndrome can get in the way of meeting spectacular candidates. Note that if you do not meet 100% of the qualifications listed, you should ignore that imposter syndrome and still seriously consider applying for the role. Studies show that you can still be considered for a role if you meet just 50% of the role's listed requirements, with an even higher percentage if you include a cover letter. Please don't hesitate to apply.
Colorado Only : The pay range for this position is as mentioned below per year, plus annual bonus. We take into consideration an individual's background and experience in determining final salary. All PayPal employees are shareholders in our Company, so equity is part of our total compensation plan. This role is also eligible for health insurance, stock purchase plans, retirement savings benefits, stock awards, life insurance and disability benefits, and paid time off for sick leave, parental leave, vacation and PTO. To learn more visit paypalbenefits.com. This information is provided per the Colorado Equal Pay Act. Base pay information is based on market location.
Colorado Salary in USD : $134385 - $166005
At PayPal, we're committed to building an equitable and inclusive global economy. And we can't do this without our most important asset-you. That's why we offer benefits to help you thrive in every stage of life. We champion your financial, physical, and mental health by offering valuable benefits and resources to help you care for the whole you.
We have great benefits including a flexible work environment, employee shares options, health and life insurance and more. To learn more about our benefits please visit https://www.paypalbenefits.com
Who We Are:
Click Here to learn more about our culture and community.
PayPal has remained at the forefront of the digital payment revolution for more than 20 years. By leveraging technology to make financial services and commerce more convenient, affordable, and secure, the PayPal platform is empowering more than 400 million consumers and merchants in more than 200 markets to join and thrive in the global economy. For more information, visit paypal.com.
PayPal provides equal employment opportunity (EEO) to all persons regardless of age, color, national origin, citizenship status, physical or mental disability, race, religion, creed, gender, sex, pregnancy, sexual orientation, gender identity and/or expression, genetic information, marital status, status with regard to public assistance, veteran status, or any other characteristic protected by federal, state or local law. In addition, PayPal will provide reasonable accommodations for qualified individuals with disabilities. If you are unable to submit an application because of incompatible assistive technology or a disability, please contact us at email@example.com.
As part of PayPal's commitment to employees' health and safety, we have established in-office Covid-19 protocols and requirements, based on expert guidance. Depending on location, this might include a Covid-19 vaccination requirement for any employee whose role requires them to work onsite. Employees may request reasonable accommodation based on a medical condition or religious belief that prevents them from being vaccinated.