To get the best candidate experience, please consider applying for a maximum of 3 roles within 12 months to ensure you are not duplicating efforts. Job Category Products and Technology Job Details The Reference Designs, Security Controls, and Architecture (REDSCAR) Team is focused on reducing the security risk and systemic security issues in Salesforce infrastructure and products. This is executed by developing and publishing reference architecture (patterns), supporting documentation that demonstrates how to use and implement security controls correctly on Premise (1P) and in Public Cloud (eg AWS, Azure), and guardrails that allow us to reduce risk at scale. There is a lot of complexity driven by the inherent technical debt, but we succeed by influencing, advocating, and promoting technology transfer of the patterns we produce to all our stakeholders (both internal and to CISO org). Our vision is that our solutions are widely accepted and adopted throughout the company and a laser focus on success is maintained in this area through influence and advocacy. We believe that in all cases, workable implementations are the one of most influential ways to drive change within our organizations. While we are involved and are driving efforts across multiple platforms with a specific focus being on Infrastructure Security, currently, there is an emerging need to enhance our coverage and engagement around security controls for Alibaba as well as Application Security. In addition, there is a need to transition our immediate organization to a unified risk rating framework and establish a cross-organizational program to design and conduct periodic assessments of common security controls at Salesforce. Effectiveness assessments must be able to effectively and efficiently determine the operational effectiveness of common controls and their extent of adoption at Salesforce to clearly depict which level of effectiveness each control falls under (inoperative, inadequate, adequate, effective, optimized). The results of the assessment are considered to be critical as they will allow the entire organization to drive consistency when determining inherent risk and will be used to prioritize future investments. They will need to be communicated to a wide range of stakeholders including the leadership team. Finally, there is a strong need to reduce systemic security risks at scale. Focusing on the most prevalent vulnerability classes and identifying scalable ways to reduce security risks at scale through process, tooling, policy, architecture, and/or training enhancements is crucial for managing risk and inherent technical debt. Essentials Must-Have: * Significant demonstrated experience architecting and developing security solutions during the secure software development lifecycle program or secure lifecycle improvement efforts * Experience working in high velocity distributed software development organizations eg Facebook, Netflix, AirBnB, Amazon, Google, etc. * Involvement in one or more non-trivial public cloud migration programs in the past where you designed or developed solutions to support this effort * Experience developing mitigations to OWASP Top 10 Security vulnerabilities and/or WASC 25 Security Vulnerabilities * An ability to translate from compliance and security requirements through product requirements and implement them in automation * Demonstrated experience establishing and leading cross-functional programs * Ability to adapt to evolving security and business priorities quickly and effectively * Understanding of penetration testing methodologies and defensive implementations to mitigate these concerns Cloud Security Role Must-Have: * Demonstrated understanding and experience in AWS, Azure or Alibaba (experience with GCP is a plus) * Understanding of modern infrastructure and application development using public cloud primitives. You should be familiar with K8s, Serverless Architecture, Infrastructure as Code tools like Terraform, Ansible, Chef, Puppet, SaltStack * Strong understanding of application security controls and their implementation at scale (eg SAST, DAST, security libraries, 3rd party libraries) * Experience building security tools for Continuous Integration (CI) and Continuous Deployment (CD) systems. Familiarity with DevSecOps principles for integrating security solutions in products like Jenkins, Spinnaker, Helm, at scale. Nice to have: * Experience with implementing, contributing source code to, or wielding automated security assurance solutions in the public cloud (eg zelkova, open policy agent). * Public profile and history of delivering talks and presentations at leading security conferences (eg USENIX, Enigma, AWS Re: Invent, CloudNative Computing Foundation) is a plus. * A body of contributions to open source security projects that are related to the public cloud is a plus. * You are comfortable/familiar with qualitative and or quantitative risk ranking approaches eg NIST, FAIR, etc. * You are confident and have a track record of presenting and communicating to a wide audience including executives, developers, customers. Accommodations If you require assistance due to a disability applying for open positions please submit a request via this Accommodations Request Form (https://careers.mail.salesforce.com/accommodations-request-form) . Posting Statement At Salesforce we believe that the business of business is to improve the state of our world. Each of us has a responsibility to drive Equality in our communities and workplaces. We are committed to creating a workforce that reflects society through inclusive programs and initiatives such as equal pay, employee resource groups, inclusive benefits, and more. Learn more about Equality at Salesforce and explore our benefits. Salesforce.com and Salesforce.org are Equal Employment Opportunity and Affirmative Action Employers. Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender perception or identity, national origin, age, marital status, protected veteran status, or disability status. Salesforce.com and Salesforce.org do not accept unsolicited headhunter and agency resumes. Salesforce.com and Salesforce.org will not pay any third-party agency or company that does not have a signed agreement with Salesforce.com () or Salesforce.org . Salesforce welcomes all. Founded in 1999, Salesforce is the global leader in Customer Relationship Management (CRM). Companies of every size and industry are using Salesforce to transform their businesses, across sales, service, marketing, commerce, and more by connecting with customers in a whole new way. We harness technologies that can revolutionize companies, careers, and, hopefully, our world. Salesforce is built on a set of four core values: Trust, Customer Success, Innovation, and Equality. By making technology more accessible, we're helping create a future with greater opportunity and equality for all. This has taken our company to great heights, including being ranked by Fortune as one of the Most Admired Companies in the World and one of the 100 Best Companies to Work For eleven years in a row, and named Innovator of the Decade and one of the Worlds Most Innovative Companies eight years in a row by Forbes. There are those who choose to work with the best and brightest. And then, there are those who want to do more than just a job. They are the ones improving lives, not only their careers. Having an impact now instead of later. Doing something thats so much bigger than themselves, an industry, and their company. We believe everyone can be a Trailblazer. Join Salesforce and discover a future of new opportunities.