Application Security Operations Engineer

Notion is seeking a Senior Application Security Operations Engineer to help improve and optimize their security program. The ideal candidate should have technical ability, attention to detail, and be comfortable in a variety of offensive and defensive disciplines. The role involves orchestrating processes through a security information and event management system, maintaining and implementing various security tools and dashboards, and conducting research to develop new security tools and technologies. The compensation for this role ranges from $180,000 to $200,000 per year for roles based in San Francisco or New York City.

• Orchestrate processes through a security information and event management system.
• Maintain, implement, and own various security tools and dashboards.
• Plan for, scope and kick-off penetration testing with 3rd parties in accordance with our compliance program.
• Detect, defend, and respond to threats to Notion and its user base.
• Conduct research and developing new security tools and technologies
• Be a vital part of our vulnerability management program ensuring we’re monitoring and mitigating application layer vulnerabilities which pose a risk to our platform.
• Be a vital part of our responsible disclosure program. Reproduce vulnerabilities, prioritizing, and reporting them to various engineering teams for remediation.
• Foster deep relationships with our Engineering teams to ensure we are monitoring our application and infrastructure effectively.

• At least 3 years working in an application or product security focused role.
• Strong experience finding and reproducing bugs in software and ability to show how they can be exploited.
• Experience building systems or tooling to secure and monitor cloud environments ranging from build pipelines to cloud deployment to client/server communication.
• Familiarity with attack frameworks and how to use it to identify and close gaps in detection capabilities.
• Understanding of SOC disciplines and comfortable working in various roles.
• Understanding of the incident response lifecycle completely and ability to be on an on-call rotation.
• Ability to lead projects with little guidance, have worked along with engineering teams in a SaaS environment (nice to have).
• Infrastructure as code security best practices (nice to have).
• Involvement in local or regional security user groups or conferences would be an added bonus too, but not essential (nice to have).