Security is a core value at Credit Karma. We help millions of people better manage their credit. Safeguarding their sensitive information is critical to our continued success. From the CEO down to each individual developer, everyone views security as a personal responsibility. The successful candidate should understand basic concepts such as networking, applications, and operating system functionality and be able to learn advanced concepts such as application manipulation, exploit development, and stealthy operations. Your unique mission as an SPLC Champion is to operationalize Security Product lifecycle by empowering champions from product lines with tools, education and awareness campaigns to create a security first mindset towards protecting member and partner data by identify potential weaknesses in the foundational infrastructure and strategically reinforce them, enabling the engineering teams to focus on new features.

What You'll Do

  • Establish and drive Secure Product lifecycle methodology and tools within Credit Karma and inculcate a secure first mindset across the organization.
  • Partner with Product Management and Engineering using a consultative approach to adapt security approaches to changing business strategies and priorities.
  • Envision, design and implement core libraries and wrappers which surface key security concerns and automatically address them wherever possible.
  • Continuously advance the Security Champions Program to develop and embed security skill sets within the development, engineering, and operations teams across the Product Lines.
  • Advance application scanning and testing integration with CI/CD pipelines to minimize security defects and improve overall Product quality.
  • Develop and maintain training curricula to ensure the Security Champions are kept up to date with all current and emerging technologies applicable to Credit Karma.
  • Act as a security subject matter expert and evangelist within the company and broader community.
  • Evaluate the key frameworks (and their ecosystems) that form the core platform for Credit Karma Engineering, looking for areas where framework improvements could eliminate the potential for vulnerabilities to be introduced.
  • Support vulnerability remediation by recommending holistic solutions instead of brittle point-fixes.
  • Understand and deploy security standards at an organizational scale (e.g. CSP, SRI, etc).
  • Crowd-source security best practices within the Credit Karma Engineering community to empower champions to handle operational security at application and infrastructure level.
  • What We Expect

  • Minimum 8 years security experience, both as a builder and breaker in following: Mobile and web application assessments; Network penetration testing and manipulation of network infrastructure; Email, phone, or physical social-engineering assessments; Developing, extending, or modifying exploits, shellcode or exploit tools; Reverse engineering malware, data obfuscators, or ciphers; Cloud security and security architecture, GCP security controls.
  • Experience delivering reports and presenting findings, specifically to technical IT and management.
  • Technical depth in many, if not most of the following areas: LAMP stack, Node.js, Scala/Java, mobile, PKI, HTTP-based SOA/microservices, encryption, hashing, tokenization, secure randomness, Hardware Security Modules (HSMs), canonicalization, output encoding, message-based security, rate-limiting, anti-automation, role-based access control (RBAC), and large-scale data transport.
  • Working knowledge of all vulnerability classes on the OWASP Periodic Table of Vulnerabilities, with strong conceptualization of designs that make it impossible for developers to introduce those vulnerabilities.
  • Thorough understanding of InfoSec control frameworks and how they can be realistically implemented.
  • Thought leadership in the security field, with demonstrable contributions to industry groups.
  • Artful communication skills and organizational savvy to steer peers and leadership toward solutions that carefully balance business, risk, compliance, and engineering concerns.