Product Security Engineer - Mercari

本ポジションは日本語Jdの用意がありません。

Product Security Engineer - Mercari

• Employment Status:　Full-time
• Work Hours: Full Flextime (no core time)  
• Office: Roppongi

For more details, see the Overview of Our Positions section on our Careers site.

About Mercari

Circulate all forms of value to unleash the potential in all people

"What can I do to help society thrive with the finite resources we have?" The Mercari marketplace app was born in 2013 out of this thought by our founder Shintaro Yamada as he traveled the world. We believe that by circulating all forms of value, not just physical things and money, we can create opportunities for anyone to realize their dreams and contribute to society and the people around them. Mercari aims to use technology to connect people all over the world and create a world where anyone can unleash their potential. For more information about Mercari Group’s mission, see Mercari’s Culture Doc

Organization/Team Mission

Mercari Engineering Principles

Mercari Engineering Principles are a shared understanding that serves as the foundation of engineering beliefs and behavior at Mercari. The Engineering Principles are designed to complement the organizational identity (Mercari’s mission, values, and culture) from an engineering viewpoint. 

These principles ultimately help us achieve Mercari’s mission by defining the ideal state we seek to realize in the long term. 

• Passion For The Product
• Grow Together
• Solve Through Mechanisms
• Collaborate Openly

For more details, please see the following link:

• Engineering Culture

Mercari is looking for a security engineer to join our Product Security Team in Tokyo. The Product Security Team ensures that Mercari products meet security requirements and investigates, tracks, and assists in fixing security issues. The team strives to be a business enabler working on a variety of tasks and applying a risk-based approach to security-related decision making.

As a Product Security Engineer you will be responsible for eliciting and communicating security requirements to product teams, performing threat modeling, design reviews, and security testing. You will also be involved in evaluating, designing, developing, and deploying automated security assessment solutions (DAST, SAST, SCA, etc.) and take on the challenge of ensuring the safety of Mercari’s development lifecycle.

See here for more information about our mission and values.

Work Responsibilities

• Review product designs to define necessary security requirements based on threat modeling.
• Review proposed architectures and propose a set of security controls in order to minimize risk.
• Review source code to find security problems and potential vulnerabilities.
• Conduct vulnerability assessments and penetration testing on Mercari’s Backend, Web, iOS, and Android applications.
• Automate security checks and tests so that they can be easily and transparently plugged into the CI/CD pipeline.
• Develop technical solutions to help mitigate security vulnerabilities.
• Maintain technical and security standards for Web and mobile application technologies.
• Educate developers on secure coding practices with workshops, talks, and lessons.
• Evaluate and investigate suspected security events or incidents and perform remediation in accordance with Incident Response procedures.
• Collaborate with information security officers, the legal team, and internal auditors on technical security matters.

Unique Challenges

• Work with a modern, cloud-first development and deployment environment.
• Ability to work in an heavily AI driven development environment and having to adapt to rapidly changing technologies and new projects.
• This position will allow you to take full advantage of your skills and experience because you will work on a variety of projects ranging from an online marketplace to payments and IoT.
• Mercari offers a multicultural environment with colleagues from over 40 different countries and various backgrounds (experiences and skills), so you will be able to discuss and address issues from different perspectives and use that for personal growth.

Qualifications

• Required Experience/Skills
• Bachelor's degree or equivalent practical experience.
• Programming experience with one or more programming languages including but not limited to: Go, PHP, Java, Ruby, Python, Swift, Kotlin, or JavaScript.
• 4+ years of experience analyzing the security of systems (penetration testing, Web application security testing, vulnerability scanning, threat modeling, etc.).
• Good understanding of modern Web application architecture, TLS, HTTP, TCP/IP, and standard network and system security technologies.
• Experience with modern software development tools, such as distributed version control systems (git), dependency management, build systems, and CI/CD pipelines.
• Strong teamwork skills in a diverse environment.
• Effective interpersonal and communication skills.
• Preferred Experience/Skills
• In-depth technical knowledge of security engineering, computer and network security, Unix-based operating systems, mobile security, authentication, security protocols, and applied cryptography.
• Strong experience in securing both backend (Go, PHP) and frontend (Web, JavaScript, iOS, Android) applications with the ability to adopt new frameworks and technologies quickly.
• Good understanding of development methodologies such as Object-oriented Programming (OOP), Domain-driven Design (DDD), and Test-driven Development (TDD).
• Good understanding of microservice architecture and related security patterns.
• Good understanding of the inner workings of OAuth2 and OIDC implementations.
• Knowledge of container and orchestration technology like Docker and Kubernetes.
• Experience working with large-scale cloud infrastructure and services (GCP or AWS).
• Experience with securing large-scale cloud infrastructure through analyzing CSPM alerts from tools such as Wiz.
• Experience working in an agile and DevOps-centric environment.
• Language 
• Japanese: Ideal but not required
• English: Independent (CEFR-B2)For details about CEFR, see here.

Learn More About Mercari Group

• Careers site: https://careers.mercari.com/en/   
• Mercan: https://mercan.mercari.com/en/  
• Social media: X / Linkedin 
• Mercari’s passkey adoption
• The Art of the Security Double Play: How Mercari Combines Internal Audits and Custom CodeQL Queries to Keep Systems Safe
• The Mobile Attack Surface | Mercari Engineering
• Mapping the Attack Surface from the Inside | Mercari Engineering
• DevSecOps: What Is It and Why Is It Gaining Momentum in the Industry? | Mercari Engineering
• Securing the SDLC at Mercari: Solutions for Automated Code Scanning
• The Product Security Team: Supporting All Phases of Mercari’s Product Lifecycle | mercan (メルカン)
• Mercari Appoints Naohisa Ichihara as New CISO: Making a Mark in History with the Goal of Establishing the World’s Most Secure Marketplace
• Going Beyond Diverse to Become Borderless: The Culture of Mercari’s Security & Privacy Team
• Security | Mercari Engineering blog
• Security/Privacy | mercan 

Recruiting At Mercari

At Mercari Group, we value empathizing with and embodying the mission and values ​​of the Group and each company. To promote the creation of an organization that maximizes the total amount of value exhibited by all members, we would like to understand the experience and skills of each candidate as accurately as possible.

Recruiting cycle at Mercari Group

• Application screening
• Skill assessment: For engineering positions, you will be asked to complete a skill assessment on HackerRank or GitHub. For non-engineering positions, you may be asked to complete an assessment depending on the position. (The timing of the assessment may coincide with the interview process.)
• Interview: The number of interviews may vary depending on the position.
• Reference check: We will ask for online references around the timing of the final interview.
• Offer: Offers will be determined carefully in consideration of the final interview and the reference check.

　Learn more about our recruiting process here.

Equal Opportunity Hiring

Here at Mercari, we work to realize a world in which no one’s potential is limited by their background and everyone has the opportunity to freely create value. We also firmly believe that a mindset of Inclusion & Diversity is essential for us to achieve our mission.

This, of course, extends to our hiring practices as well. Mercari is committed to eliminating discrimination based on age, gender, sexual orientation, race, religion, physical disability, and other such factors so that anyone who shares our mission and values can join us, regardless of their background. For more details, please read our I&D statement.

Please read and acknowledge our Privacy Policy prior to submitting your application.