Product Security Engineer at ClickHouse

What you'd actually do

Collaborate with engineering and product on improving existing and building new product features with focus on threat modeling, assurance and secure implementation, some examples of recent work include implementation of secure key management, passwordless authentication, m2m authentication, sandboxing and compute/network/storage isolation

Identify security gaps and vulnerabilities in ClickHouse Cloud and OSS, triage a wide range of vulnerabilities reported via our bug bounty program, responsible disclosure, GitHub Issues covering web, API and server - client assets including low level memory issues like heap or buffer overflows

Improve and develop security assurance activities - pentests, vulnerability assessments, bug bounty programs, fuzzing

Drive implementation and usage of engineering security tools - static, dynamic code analysis, dependency checks, code licensing compliance (working knowledge of Snyk, Semgrep, GitHub CodeQL)

Develop processes, tooling and automation to scale security processes and mitigate risks to the business

Skills

Required

Experience supporting engineering and product implementation efforts by performing threat assessments, assurance activities, advisory as well as, in some cases, implementation work across distributed systems covering web, API, client/server assets
Strong knowledge of and experience with one or more cloud service providers (e.g. AWS, GCP, Azure), Kubernetes, Cilium
Experience implementing and operating engineering security tools and processes (e.g. static / dynamic code analysis, software composition analysis, SBOM, OWASP SAMM, client and network fuzzing tools)
Significant development and automation experience, ability to work with C++ code
Security as code mindset, with focus on solving problems with automation and scale in mind

Nice to have

BS, MS, or PhD in Computer Science or related field
Previous contributions to open source projects
Security or cloud related certifications (AWS, GCP, Azure)

What the JD emphasized

threat modeling

assurance

secure implementation

security gaps

vulnerabilities

bug bounty program

responsible disclosure

low level memory issues

pentests

vulnerability assessments

bug bounty programs

fuzzing

static, dynamic code analysis

dependency checks

code licensing compliance

Snyk, Semgrep, GitHub CodeQL

engineering security tools

automation

scale security processes

mitigate risks

About ClickHouse

Established in 2009, ClickHouse leads the industry with its open-source column-oriented database system, driven by the vision of becoming the fastest OLAP database globally. The company empowers users to generate real-time analytical reports through SQL queries, emphasizing speed in managing escalating data volumes. Enterprises globally, including Lyft, Sony, IBM, GitLab, Twilio, HubSpot, and many more, rely on ClickHouse Cloud. It is available through open-source or on AWS, GCP, Azure, and Alibaba.

**About the team **

The Security Team is responsible for providing key security capabilities covering application, cloud and enterprise security, incident response, detection and GRC. Our team is looking for an experienced, hands-on security practitioner, who will drive the adoption of modern security processes and tooling, with focus on supporting our engineering and product teams in improving the security posture of our platforms and services.

Note: This position can be fully remote anywhere in the Netherlands.

What you will do:

Collaborate with engineering and product on improving existing and building new product features with focus on threat modeling, assurance and secure implementation, some examples of recent work include implementation of secure key management, passwordless authentication, m2m authentication, sandboxing and compute/network/storage isolation
Identify security gaps and vulnerabilities in ClickHouse Cloud and OSS, triage a wide range of vulnerabilities reported via our bug bounty program, responsible disclosure, GitHub Issues covering web, API and server - client assets including low level memory issues like heap or buffer overflows
Improve and develop security assurance activities - pentests, vulnerability assessments, bug bounty programs, fuzzing
Drive implementation and usage of engineering security tools - static, dynamic code analysis, dependency checks, code licensing compliance (working knowledge of Snyk, Semgrep, GitHub CodeQL)
Nurture the engineering - security relationship, identify and implement process and technology improvements
Handle information security events and incidents across ClickHouse products and services
Develop processes, tooling and automation to scale security processes and mitigate risks to the business

What you bring along:

Experience supporting engineering and product implementation efforts by performing threat assessments, assurance activities, advisory as well as, in some cases, implementation work across distributed systems covering web, API, client/server assets
Strong knowledge of and experience with one or more cloud service providers (e.g. AWS, GCP, Azure), Kubernetes, Cilium
Experience implementing and operating engineering security tools and processes (e.g. static / dynamic code analysis, software composition analysis, SBOM, OWASP SAMM, client and network fuzzing tools)
Significant development and automation experience, ability to work with C++ code
Security as code mindset, with focus on solving problems with automation and scale in mind

Bonus Points:

BS, MS, or PhD in Computer Science or related field
Previous contributions to open source projects
Security or cloud related certifications (AWS, GCP, Azure)

Compensation

For roles based in the United States, the typical starting salary range for this position is listed above. In certain locations, such as Los Angeles, CA, the San Francisco Bay Area, CA, the Seattle, WA, Area, and the New York City Metro Area, a premium market range may apply, as listed.

These salary ranges reflect what we reasonably and in good faith believe to be the minimum and maximum pay for this role at the time of posting. The actual compensation may be higher or lower than the amounts listed, and the ranges may be subject to future adjustments.

An individual’s placement within the range will depend on various factors, including (but not limited to) education, qualifications, certifications, experience, skills, location, performance, and the needs of the business or organization.

If you have any questions or comments about compensation as a candidate, please get in touch with us at paytransparency@clickhouse.com.

Perks

Flexible work environment - ClickHouse is a globally distributed company and remote-friendly. We currently operate in 20 countries.
Healthcare - Employer contributions towards your healthcare.
Equity in the company - Every new team member who joins our company receives stock options.
Time off - Flexible time off in the US, generous entitlement in other countries.
**A $500 Home office setup **if you’re a remote employee.
**Global Gatherings **– We believe in the power of in-person connection and offer opportunities to engage with colleagues at company-wide offsites.

Culture - We All Shape It

As part of our first 500 employees, you will be instrumental in shaping our culture.

Are you interested in finding out more about our culture? Learn more about our values here. Check out ourblog posts or follow us on LinkedIn to find out more about what’s happening at ClickHouse.

**Equal Opportunity & Privacy **

ClickHouse provides equal employment opportunities to all employees and applicants and prohibits discrimination and harassment of any type based on factors such as race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic protected by federal, state or local laws.

Please see here for our Privacy Statement.