Humbly Confident Senior Security Engineer
UTC-8 - UTC+1
We build “You Need a Budget,” the best budgeting software and educational resources around. (Those in the know call us YNAB, which is pronounced “why-nab.”) For more than a decade, people have been buying YNAB and then telling their friends what a difference it has made in their lives. Google us, or read some of our reviews on the app store, and you’ll see what we mean. We love building something that has a huge positive impact on people’s lives.
We’ve taken the stance that it's best to make secure practices and choices a practical part of our company culture from day one. Consequently, we have a number of programs and practices in place that we’re proud of, and you can read about some of our public-facing ones in our security policy. But security is a journey, and although we have plenty of people who get obsessive about security, we’re at the point in our journey where we want someone who gets to obsess about security all day, every day. And that’s where you, our new security engineer, come in. You love helping those around you make good decisions around security and are experienced in helping build trust and comprehension around best practices. You are a critical thinker with an open mind, you reason/debate with empathy, have strong communication skills, and have deep respect for the power of collaboration.
We have one overarching requirement when it comes to joining our team: our Core Value Manifesto has to really click with you. If you’re nodding emphatically while reading this, you’ll probably like it here, and we can’t wait to connect with you!
Of course, we have some firm* requirements too, like five years of experience involved in building software, with at least 3 years dedicated to a security-focused role.
*Well, firm-ish. If you know you’re a great fit for this role but fall a little short of the five-year requirement, we encourage you to go ahead and apply. We don’t need you to be the perfect candidate on paper.
On a similar note, we know impostor syndrome can be a powerful force and may discourage fantastic people from applying. Please apply anyway. Many of us here have it too, so you’re in good company.
Okay, let’s talk about life at YNAB, and then we’ll go into detail about what we’re looking for.
You’ll naturally work with engineers, but you’ll also frequently work with everyone in our cross-functional product teams: Designers, Product Managers, and Customer Support. And since your security recommendations will often apply to how we work internally, you’ll work with employees in marketing, education, and operations too.
All of our employees have one thing in common: They’re a joy to work with. You won’t find heated arguments and raised voices here. We save our competitive spirit for YNAB’s external competitors (or the occasional spirited board/video game session), but internally we build up our teammates and celebrate their successes.
We are all keenly aware of our work's impact on customers and the company, and we recognize security and privacy are an essential part of every role, regardless of title.
So, security isn't a hard sell around here. We all work and sleep a little bit better when we know how to architect a system that is secure by design, and when we know that an errant click on that attachment isn't going to destroy the company.
And when one of us does make a security mistake, we'll admit it because we blame faulty processes, not people.
We also work really hard, together, to make working at YNAB an amazing experience, and we were (humbly) proud to be named Fortune’s #1 Best Small Company to Work For the last two years. We have a team of truly exceptional people—the kind you’ll be excited to work with. Here’s how we operate:
YNAB appreciates, respects, and trusts the expertise and judgment of our engineers. We empower them to do what they think is right.
We also work collaboratively. We continuously seek the right amount of structure and unity necessary to maximize productivity. Where it makes sense, we designate someone to make a call.
Even though our people are right a lot, it's okay to make mistakes here. Exploration and calculated risks are vital to velocity and growth. We freely admit when we're wrong. If something doesn't go as expected, we learn, bounce back, and make corrections.
You won't be alone; others will be there to help, review, reassure, and back you up. We own our processes and collective outcomes as a team.
We’ve always been a fully remote team, and have people all over the world. For this role, you’ll need to be located somewhere between the Pacific Time Zone (UTC-8) and the Central European Time Zone (UTC+1). For instance, North America and most of Europe work well. Wherever you are, just make sure you have a reliable internet connection.
We want everyone to have a full life outside of YNAB, and we seldom work more than 40 hours per week. There have been a few occasions where things got busy and people had to put some extra time in. But then they took some extra time off, so it all balances out. We work hard and smart, but we’re in this for the long haul.
We want you to take vacation. In fact, we have a minimum vacation policy of three weeks per year. Five weeks feels about right (plus two extra weeks for our company-wide December break). It’s important to get plenty of downtime and get out and do something. We’ll look forward to seeing pictures of your adventures in our #office_wall Slack channel.
When the pandemic isn’t keeping us from traveling, we get the whole team together once a year to catch up on spreadsheets and powerpoints in a Best Western conference room. Just kidding. So far, we’ve done Costa Rica, a gigantic cabin in the mountains, a beach house in the Outer Banks, a ranch in Montana, and most recently, Laguna Beach. We do really fun things at these retreats, but the highlight is inevitably just being together and having a blast.
We’re serious about helping you improve your craft. We budget for it (hey-o!). Think conferences, Lynda/Skillshare subscriptions, books, and dedicated time away from work to learn something new. We love to see our people grow.
Our team is spread across the globe, including Switzerland, Mexico, Canada, Brazil, the United Kingdom, and all over the United States. We set up team members in the US and UK as employees, and those in other countries as independent contractors.
As mentioned above, we have some time zone restrictions for this role, but as long as you're between UTC-8 and UTC+1, we’re good!
We offer excellent health, dental, and vision insurance for our US employees, where we cover 100% of the premium for you and your family. No need to check your vision, you read that right—100%. Although if you did need to check your vision, we’ve got you covered!
We also have a Traditional and Roth 401k option. YNAB matches your contributions, up to six percent of your paycheck. Matches vest immediately. (Are you a personal finance junkie like our founder Jesse? He set up YNAB’s 401k to have the lowest fee structure possible, where all plan costs are paid by YNAB, not your retirement nest egg. The investment funds available are fantastic, passively-managed, ultra-low-cost index funds. Not a PF junkie? Trust us, it’s awesome.) For UK employees, we also contribute six percent to your pension.
We also offer generous paid parental leave for all full-time team members. Here’s to increasing the world’s budgeters, one child at a time!
The starting salary range for this position is $142,000-$170,000 USD annually, depending on experience. We consider raises every year, and have a bi-annual profit-share bonus. YNAB wins, you win—that kind of thing.
- Once you start, we DEMAND (in a friendly, ALL CAPS IS YELLING way) that you fill out your “Bucket List” spreadsheet with 50 items. (That’s harder than it sounds!)
- The bucket list really helps in deciding what we should give you for your birthday and the holidays.
- We’re all adults. There’s no need to punch a clock or ask for permission to take off early one afternoon to go see the doctor. We look at what you accomplish, not how long you sit (have you tried standing?) in front of a computer.
- We’re currently trialing a four-day work week! For us, this means four regular days of work followed by a three-day weekend…every week. This is new to us, and we're learning a lot, but we're excited about what it could mean both for the company and our team members.
- We want you firing on all cylinders so we’ll set you up with a top-of-the-line computer and will replace it regularly.
- Did we mention we make a huge, positive difference in the world?
If this sounds like your ideal environment, read on because now we want to talk about you. You will play a big part in building something easy and joyful to use that helps millions of people discover budgeting as an essential financial and life-planning tool. You will change lives.
When you read the following list, you’re probably going to think, “This sounds great. I could really help in these areas,” and then a few bullet points later, you’ll think, “Wait, this is too much for one person,” and that’s almost certainly true. Luckily this is only the first position we’re filling for our security team. We need your help to figure out the details, but as we learn more we can talk about growing that team where necessary. In addition, you'll have:
- The recognition that just because you'll act as our main consultant in these areas, you won't necessarily be the main implementer.
- Reasonable expectations regarding timelines.
- The experience necessary to know where to prioritize your energy first, based on solid risk analysis of threats, their likelihood, and their impact.
- The authority to recommend how to build out and hire our security team as we grow.
- The ability to think strategically and long term, and turn that thinking into tactical progress/accomplishment.
So although we’re searching for a security unicorn with a wide depth and breadth of knowledge, we’re not expecting you to be a magical unicorn!
- We have experienced, security-savvy engineers, and you will help ensure they follow secure development practices and build rigor around our software development life cycle to make it secure.
- Triage incoming bugs from our ongoing Bug Bounty Program with the appropriate application engineers.
- Assist and train us in performing security-focused code reviews.
- Utilize your experience in constructing systems that are secure by design to act as the primary security consultant for our engineers as they architect new systems.
- Investigate intrusion/ATO attempts using our application monitoring stack, and recommend infrastructure improvements to make subsequent intrusion attempts easier to identify and block.
- Make meaningful recommendations for Security Information and Event Management (SIEM), and know what that would look like for a fully remote SaaS company.
- Keep abreast of best practices and vulnerabilities to ensure that we don't fall behind as attackers innovate.
- Evaluate and Coordinate with 3rd party auditors to perform penetration tests and code audits. (And when you read their report, you can easily distinguish between the marketing fluff and the scary stuff.)
- Recommend automated tests to help detect vulnerabilities before we ship them.
- Introduce security standards that are enforced through robust documentation and empathetic guidance.
- Reason clearly about security and product tradeoffs and balance such priorities in decisions.
- Find improving engineering standards, tooling, and processes rewarding.
- Evaluate and augment our Internal Security Policies and Governance Documents.
- Know how to find the balance between policies that make us extremely secure, but paralyze the organization, and lax policies that are extremely efficient, but leave us one click away from a business-ending ransomware attack.
- Work with Operations/IT to:
- Ensure we have configured our internal business applications correctly and securely.
- Recommend cloud providers for security-sensitive operations, like identity management, account provisioning, etc.
- Perform Internal Risk Assessments to help guard against the most probable security threats our business faces.
- Evaluate and recommend internal security training materials that are actually useful.
- Assess our existing infrastructure, from physical asset practices to network settings.
- Respond to security questionnaires from potential vendors.
- Help navigate new legislative requirements regarding data privacy.
- Identify threats and vulnerabilities in a fully remote SaaS environment.
- Prepare for potential threats that could disrupt operations.
- We help our customers to make secure decisions by default, and you will help improve our existing systems designed to: prevent bad/breached passwords, encourage enabling 2FA, resist phishing and self-XSS attempts, etc. You will coordinate with the product and engineering teams to evaluate our efforts and make recommendations to improve them.
- Consult with our Head of Product, Head of Technology, Operations, and attorneys to help respond to, and potentially automate our (rare) GDPR/CCPA requests.
- Field internal and external security questions regarding the treatment of sensitive data.
- Keep our external security and privacy policies up to date.
You have a strong technical background with at least 5 years of experience related to building, shipping, and securing software. Ideally in a SaaS environment.
We recognize that people get into software “security” by many paths, so it’s difficult to boil our experience requirements down to a perfect list of bullet points, but you are the person we’re looking for if you:
- Are not only undaunted but excited about the above list of responsibilities and appropriately confident in your ability to tackle most of them.
- Are a collaborative team player, but also comfortable working independently with lots of autonomy.
- Have enough experience to be surprised to see us leave certain things out of the above job description, and look forward to educating us.
- Have broad enough skills to be able to make best-practice security recommendations for our organization as a whole, while having deep enough skills to be able to recognize and potentially even exploit top OWASP vulnerabilities like SQL injections, XSS, etc.
- Worked on, and potentially led a security team before with a title like Application Security Lead or Application Security Engineer.
- Are an excellent written and verbal communicator.
- We divorce management expertise from technical expertise here, and this is a technical role. Although you don’t have to know how or desire to manage people, you must be extremely personable and able to effortlessly be a liaison and champion of security and policy between all teams and levels at YNAB.
If your path to the world of information security involved “hacking”, and you have a criminal record as a result, we’ll still consider you depending upon the circumstances. Let us know upfront so we can talk about it rather than be surprised when doing our background checks.
YNAB is an equal opportunity employer. We believe a diversity of backgrounds, beliefs, abilities, and experiences is critical to our success. We are passionate about creating a welcoming, supportive, and collaborative environment for all employees. All are encouraged to apply as we continue to grow a smart, experienced, and diverse team that loves working together to build something that matters.
- Click the ‘Apply’ button below. You’ll be directed to an Application Form, which will only ask for your email address. (This will seem a little strange. We apologize, and appreciate you bearing with us.)
- Once you’ve submitted your email address, check your email for further instructions. If you don’t see a message from us, be sure to check your spam folder.
- The deadline is 11:59 pm PT on Sunday, July 10, 2022.
- Our goal is to make the hiring process as accessible as possible. If we can help you with an accessibility need, email us at at firstname.lastname@example.org. Be sure to indicate in the subject line that you’re applying for the Senior Security Engineer position. (Please note that this inbox is only monitored for messages related to accommodations.)
We’re excited to hear from you!
P.S. If you’re not interested in this position right now, but know someone who might be, we’d appreciate you passing this along!