Product Security Engineer, Reviews

As a Product Security Engineer, you will be responsible for conducting security reviews, code audits, and penetration tests across Okta’s products. You will collaborate with engineering teams to identify security vulnerabilities, recommend mitigations, and educate teams on security best practices. This role provides an opportunity to build technical expertise in web application security, authentication protocols, and vulnerability assessment methodologies.

This role is ideal for candidates looking to grow their technical depth in security, with opportunities to work on real-world security challenges, mentor with senior engineers, and contribute to security tooling and automation.

We value an attacker mindset—the ability to think like an adversary when assessing security risks. If you're excited about solving security challenges, learning new techniques, and making an impact on product security, this role is for you.

Job Duties and Responsibilities:

• Conduct security reviews, including design reviews, threat modeling, and penetration testing of new features and major changes.
• Conduct penetration tests on web applications, services, and infrastructure.
• Identify and report security vulnerabilities, providing clear mitigation strategies.
• Collaborate with engineers to improve security awareness and secure coding practices.
• Develop and enhance security tools and automation to identify vulnerabilities more efficiently.
• Assist in handling externally reported security vulnerabilities by investigating and validating reports.
• Stay up to date on emerging security threats and research new attack techniques.

Required Knowledge, Skills, and Abilities:

• Knowledge of web application security fundamentals and the OWASP Top 10 / CWE Top 25 vulnerabilities.
• Ability to perform manual secure code reviews in Java, .NET, Go, C, C++, Python, Swift, Kotlin, or similar languages.
• Hands-on experience with penetration testing techniques and tools like Burp Suite.
• Understanding of modern web application components, architecture, and security principles.
• Ability to explain security risks and remediation options to developers and product teams.
• Basic proficiency in scripting (Python, Bash, or similar) for security automation.

 Desired skills and Abilities:

• Familiarity with authentication and authorization protocols (OIDC, SAML, OAuth).
• Experience with mobile application security testing (Android/iOS).
• Exposure to SAST, DAST, SCA, or fuzzing tools.
• Understanding of cryptographic principles and secure implementations.
• Interest in network security, protocol analysis, and vulnerability exploitation techniques.
• Experience creating proof-of-concept scripts to demonstrate security findings.