Product Security Engineer

Our Mission:
ButterflyMX is on a mission to empower people to open and manage doors & gates from a smartphone. Our products are installed in more than 15,000+ multifamily, commercial, gated communities, and student-housing properties worldwide, including properties developed, owned, and managed by the most trusted names in real estate. Our features are designed for developers, owners, property managers, and tenants and our products lower operating costs and improve tenant satisfaction.

Our Solution:
Developers and owners no longer need to run building wiring or install in-unit hardware. Property managers can grant building access, revoke permissions, and review entry logs from an online dashboard. Residents can open doors from their smartphones, issue visitor access, and see who is trying to enter the building.

Our Culture & Values:
Fantastic people are the key to our success. As a distributed, primarily remote workforce, we’re looking for more intelligent, passionate, collaborative, and down-to-earth individuals to join our growing team. We’re driven by a shared commitment to excellence and innovation, grounded in our core values: We delight our customers, We take ownership, We are a community of collaborators, We speak up, We think big and do small, and We are tenacious.

About the role

Are you ready for an exciting, unique & game-changing opportunity? Join us as a Product Security Engineer at ButterflyMX, where you will assume a pivotal role in delivering substantial value to the organization by prioritizing the protection of clients', tenants’ & employees' information assets, ensuring the comprehensive security of systems & data. You will mature, build, scale & operationalize our information security program as a senior security engineer. Your expertise will be instrumental in safeguarding our innovative solutions & protecting our valuable assets &, most importantly, our customers & tenants. 

As our Product Security Engineer at ButterflyMX, you'll wear multiple “security hats” to ensure the resilience, safety, confidentiality, availability & integrity of our cloud, IoT, mobile, web-based solutions & data throughout the environment. This role will report directly into our VP of Information Security & Privacy.

What You’ll Do

• Design, implement, mature & maintain our robust security controls & processes across our technology stack to protect sensitive data & systems
• This role will wear multiple hats, including Security Engineer, SOC Analyst, GRC Analyst, & Privacy Analyst while the team is building out. You should be flexible, a go-getter & a self-starter to be successful in this role.
• Lead vulnerability management & remediation efforts to improve the security posture & resiliency of ButterflyMX – prioritizing solutions, implementing mitigations, & designing strategic preventative controls
• Build out Security Assessment, red-teaming, application security & product security capabilities
• Manage internal & external penetration testing efforts. You should be comfortable executing a penetration test with both manual & automated testing techniques, doing source code reviews, & working with developers &/or devops engineers to remediate the findings.
• Mature & lead threat modeling 
• Ensure security controls are implemented to enable compliance with industry standards, regulations, frameworks,& best practices (e.g., SOC2, ISO, NIST, CIS, GDPR, CCPA)
• Evaluation, analysis & implementation of new security technologies & solutions to enhance the organization’s security posture
• Collaborate with cross-functional teams to integrate security & privacy seamlessly into our product development lifecycle
• Stay up-to-date with the latest security threats, technologies, & trends to proactively protect our systems
• Develop & conduct regular security awareness training & security education programs for employees
• Serve as a point of contact for customers & partners regarding security-related inquiries
• Foster a culture of security awareness & accountability throughout the organization

• 5+ years of security engineering experience building, managing & scaling security operations at a fast-paced, agile/dynamic, cloud native, technology-driven startup
• You enjoy working as a security engineer in organizations that develop software as a service &/or operate managed infrastructure & technology services for their own customers
• Experience securing a tech stack/solution that includes SaaS, Mobile, & IoT
• Experience working with cross-functional teams to identify & mitigate security, compliance & data privacy risks
• Proficiency with performing penetration testing, application security assessments & secure code reviews on applications with an AWS cloud tech stack built for providing SaaS.
• Expertise in developing & maturing Threat Models working with engineering teams to ensure application resiliency
• Expertise in DevSecOps practices, such as automating security testing within CI/CD pipelines & conducting static & dynamic code analyses, through remediation of findings.
• Experience automating security controls. Proven technical proficiency using Terraform & other infrastructure as code tools, with a strong track record of managing vulnerabilities in ephemeral cloud infrastructure environments.
• Extensive experience & expertise across multiple security domains including cloud security, data security, network security, application security, incident management, threat/vulnerability/patch/configuration management, identity & access management..
• Strong understanding of security best practices, frameworks, standards, & compliance requirements, & particularly how these apply to a startup environment through enterprise environments. Experience maturing security controls as an organization matures.
• Experience maintaining SOC 2 Type II compliance & associated security controls within an organization
• Demonstrated technical expertise in implementing data privacy controls & safeguards to include facilitating the deployment of technical measures to ensure compliance with data privacy regulations such as GDPR & CCPA
• Incident response management: Experience in developing & implementing incident response plans, conducting investigations, & managing security incidents effectively
• Demonstrated ability to educate an engineering audience about technical application security vulnerabilities, i.e., OWASP Top Ten, OWASP API Security Top 10
• Adept in a data-driven approach for decision-making & a risk-based mindset to prioritize & address security concerns effectively.
• Experience with implementing Security & Privacy by design principles into a development lifecycle involving incorporating threat modeling to identify potential risks & ultimately design appropriate security controls.
• Customer focused & Solution oriented, Enthusiastic, Empathetic, Adaptable/Flexible, Bias for Action, Forward thinking, Optimistic, Trusted Advisor
• Important to see everyone is a customer & that everyone is on the security team
• A strong inclination to dive into the details, actively engaging in hands-on work
• Continuous improvement mindset. Pursues ongoing professional development, stays updated with emerging threats & technologies.
• Industry certifications such as AWS Security Certified, CISSP, CCSP, CSSLP, GXPEN, OSCP, SANS Certifications, Burp Suite Certified, Security+, CEH, CIPP, CIPT