求人概要
Job Type
正社員
Japanese Level
不要
Category
Tech & Engineering
職務内容
We’re a ~40 person company building the OAuth/OpenID Connect platform that large digital banks and regulated industries run their identity on. Our stack is Java on Google Cloud, delivered as a shared multi-tenant service, dedicated single-tenant clusters, and a self-managed product customers run themselves. This is a hands-on builder role, not a management or pure-compliance role. You’ll build our security program from the ground up: writing the policies, shipping code fixes, wiring detection into GCP, and setting the practices the rest of engineering follows. You’ll lean on AI to move fast, researching how the best companies do this, drafting policies, reviewing code, and hunting vulnerabilities at a scale a lean team otherwise couldn’t reach. What you'll do Stand up our vulnerability management program end-to-end: intake, triage, severity, remediation targets, security advisories, and coordinated disclosure, across both our managed and self-managed deployment models. Build our product security incident response (PSIRT): on-call, playbooks, and AI-assisted triage that turns High/Critical CVEs into paged incidents automatically. Work hands-on in the codebase, contributing security fixes to our Java platform and raising the bar on secure coding, secrets and key management, and hardening. Build proactive detection and response in GCP: alerts, monitoring, and automation where it pays off. Integrate security into CI/CD and IaC: dependency and container scanning, Terraform checks. Own our external security posture: security.txt, a security contact, a public trust page, and a security white paper. Get ahead of frontier-AI offensive tooling (the Mythos class of AI-discovered zero-days) by pointing AI agents at our own code before someone else does. Partner with platform engineers on security-relevant architecture and lead its security dimension. Support ISO 27001 and SOC 2 controls pragmatically alongside engineering, without the role becoming audit admin. What we're looking for A hands-on security engineer who codes. You’re comfortable reading and writing code (Java, Go a strong plus), Terraform, and GCP configs, not just reviewing others’ work. Strong application security foundation: secure coding, vulnerability management, security in CI/CD. Cloud security depth on GCP, IAM, Kubernetes, infrastructure hardening. Incident response experience: investigations, detection tooling, and clear communication with customers or regulators. You’re energized by owning the whole spectrum at a small company rather than going narrow at a large one. Bonus: OAuth/OIDC, FAPI, or identity-security background; ISO 27001 or SOC 2 exposure. Why Join Us Own security for a platform used by large financial and regulated customers Work closely with founders, engineering, and customers Modern, cloud-native environment without unnecessary overhead Competitive pay and flexibility

