Product Security Engineer

Salesforce•San Francisco, CA

About The Position

About Salesforce Salesforce is the #1 AI CRM, where humans with agents drive customer success together. Here, ambition meets action. Tech meets trust. And innovation isn’t a buzzword — it’s a way of life. The world of work as we know it is changing and we're looking for Trailblazers who are passionate about bettering business and the world through AI, driving innovation, and keeping Salesforce's core values at the heart of it all. Ready to level-up your career at the company leading workforce transformation in the agentic era? You’re in the right place! Agentforce is the future of AI, and you are the future of Salesforce. We are looking for a Product Security Engineer to join our Salesforce product security advisors team. You will be the technical authority responsible for assessing, and providing remediation advice for the ecosystem that power our clouds. As a trusted security advisor, you'll serve as the primary point of contact for our engineering partners and leadership, cultivating strong relationships and delivering critical security recommendations. Your contributions will directly shape and enhance the security posture of our core platforms, ensuring the resilience and integrity of Salesforce's offerings. You’ll sit at the intersection of application security and infrastructure, ensuring that every design decision follows thoughtful security principles, and reviewing implementation that delivers it and meets the highest security standards.

Requirements

The Experience: 5+ years in offensive or defensive security roles, with a proven track record of securing enterprise-level cloud platforms (Salesforce/SFMC experience is a massive plus but not a requirement).
The Technical Breadth: Working knowledge of at least two of these languages: Java, C#, PHP, Python, knowledge of email/SMS threats and drive for continuous learning.
The Mindset: You think like an attacker but build like an architect. You are passionate about breaking things to make them stronger.
The Communication: You can translate a complex heap-buffer overflow or an IDOR into a business risk that a stakeholder can understand.
AI Expertise: You don’t need to be an AI expert, but you’re curious and willing to adopt AI tools to work smarter and deliver better results.
Expertise in OWASP Top 10 and SANS Top 25.
Working knowledge of security tools (e.g., Snyk, Semgrep, GitHub Actions, DAST, SAST).
A related technical degree required

Nice To Haves

Offensive Security: OSCP (Offensive Security Certified Professional), OSWE (Offensive Security Web Expert), or GWAPT (GIAC Web Application Pentester).
Architecture & Cloud: AWS Cloud Security Specialist or GCP cloud security expert
Active participation in Bug Bounty programs (HackerOne, Bugcrowd).
Contributions to open-source security tools or research.
Experience with the Salesforce ecosystem.
Experience in applying AI innovations in security (Claude, Cursor, Gemini etc) to security assessments.
Proficiency with pentesting frameworks.

Responsibilities

SDLC: Embed security controls throughout the entire SDLC, ensuring that "shifting left" is a reality, not just a buzzword.
Threat Modeling & Risk Assessment: Lead deep-dive threat modeling sessions for complex SFMC integrations and custom applications.
Code Review: Perform manual, agentic and automated secure code reviews across a diverse stack, including Java, C#, PHP, and Python.
Security Research & Pentesting: Conduct and Coordinate deep-dive penetration tests for high risk features on internal and external-facing assets.
Identity & Access Management: Design and evaluate robust AuthN/AuthZ frameworks in products. You’ll be our subject matter expert on modern Identity Management (IDM) protocols (SAML, OAuth2, OIDC), Agentic Identity and in email/messaging platform security.
Infrastructure Evaluation: Audit and harden the infrastructure supporting our cloud environment, ensuring least-privilege access and resilient configurations.