Architect, Perimeter and Network Security, Enterprise Technology Services

About The Position

Requirements

• Bachelor's degree in Computer Science, Computer Engineering, or equivalent.
• 15+ years of hands-on software engineering experience with significant time spent in security architecture or senior technical leadership roles.
• Expert-level understanding of perimeter and network security: WAF design and rule authoring, DDoS mitigation strategies, bot detection techniques, TLS/mTLS, TCP/IP, HTTP/HTTPS, QUIC, and DNS security.
• Deep experience with proxy technologies (NGINX, Envoy, HAProxy) across edge, origin, service mesh, and API & AI security gateway tiers — including protocol-level internals, security module/filter architectures, and load balancing strategies.
• Solid understanding of IP networking fundamentals including BGP and NAT.
• Experience designing and building orchestration/control plane systems for security policy distribution and configuration management across distributed infrastructure at scale.
• Proven ability to architect systems that span on-premises and public cloud (GCP, AWS) with high availability, fault tolerance, and security as first-class concerns.
• Strong proficiency in Java/J2EE for building backend platforms.
• Ability to write production-quality code and lead by example.
• Demonstrated track record of driving security architecture strategy and making high-impact design decisions across multiple teams or products.
• Experience working cross-functionally with security, cloud infrastructure, and application teams to deliver integrated traffic and security solutions.
• Excellent written and verbal communication skills — ability to produce clear architecture documents and present complex security concepts to diverse audiences, from engineers to executives.

Nice To Haves

• Experience with proxy engine internals — C, C++, Lua, or WASM-based customization of NGINX, Envoy, or similar engines for implementing security controls in the runtime data path.
• Deep knowledge of authentication/authorization frameworks (OAuth, mTLS, certificate management) and secure software development lifecycle practices.
• Experience with service mesh architectures (Istio, Envoy-based), API & AI security gateway patterns, containerization (Kubernetes, Docker), and infrastructure-as-code (Terraform, Ansible).
• Expertise in distributed systems design patterns — consensus protocols, eventual consistency, data replication, and partition tolerance trade-offs.
• Experience designing real-time data pipelines and event-driven architectures for threat intelligence or security telemetry at scale.
• Knowledge of observability at the platform level — designing systems for meaningful security logging, metrics, distributed tracing, and alerting.
• Familiarity with OWASP threat models, CVE analysis, threat landscape trends, and security incident response from an engineering perspective.
• Comfortable working across Java, Python, Go, and scripting languages as the problem demands.
• Recognized industry expertise in perimeter/network security — demonstrated through contributions to open-source security projects, conference talks, or a track record at companies operating security infrastructure at internet scale.
• Named inventor or co-inventor on granted patents or patent applications in networking, security, or distributed systems.
• Contributor or author of IETF RFCs, Internet-Drafts, or equivalent standards documentation, influencing industry protocols and best practices.
• Published technical papers, whitepapers, or research articles in reputable conferences, journals, or industry forums.
• M.S. or Ph.D. in Computer Science, Electrical Engineering, or equivalent experience.

Responsibilities

• Define and drive the long-term security architecture and roadmap, making critical design decisions on defense-in-depth strategy, threat coverage, scalability, and resilience.
• Design and architect perimeter security solutions — WAF rule engines, DDoS mitigation, bot detection and prevention, TLS policy management, and real-time threat intelligence distribution at Apple-scale.
• Own the security architecture across all proxy tiers — edge, origin/application load balancers, service mesh, and API & AI security gateways — and the orchestration/control plane that manages configuration, policy lifecycle, and fleet-wide enforcement.
• Lead the architecture of security controls across protocols (TCP, UDP, HTTP/HTTPS, TLS), ensuring comprehensive coverage against evolving threat vectors.
• Drive technical design reviews, author security architecture documents, and establish design standards and patterns that the broader engineering team follows.
• Bring industry perspective — evaluate emerging threats, security technologies, and defensive approaches; leverage your knowledge to inform strategy and keep Apple's defenses at the forefront.
• Collaborate with engineering managers, partner teams (security, infrastructure, SRE, product), and leadership to align security architecture with organizational goals.
• Partner with Apple's security and cloud infrastructure teams to drive a cohesive security vision across perimeter, network, and application layers.
• Work directly with application teams across Apple to understand their traffic and security requirements, designing integrated solutions that address their specific needs while maintaining platform consistency.
• Mentor and elevate senior engineers through hands-on design collaboration, code reviews, and technical guidance — acting as a force multiplier for the team.
• Proactively identify and address security architecture gaps, systemic risks, and technical debt before they become production vulnerabilities.
• Represent the team's security perspective in cross-organizational architecture forums, security reviews, and industry engagements.