Product Security Principal

Salesforce is the #1 AI CRM, driving customer success. This role is for a Principal Application Security Expert focusing on offensive security and research. The expert will lead the discovery, analysis, and remediation of critical and systemic application security vulnerabilities across products and platforms. The role emphasizes identifying root causes, architectural weaknesses, and recurring security anti-patterns, driving secure-by-default solutions, and influencing design decisions to improve security posture at scale.

Must Have

• Lead offensive security assessments (manual testing, code review, architectural analysis, threat modeling).
• Discover critical, high-impact, and systemic vulnerabilities.
• Conduct security research to identify emerging attack vectors.
• Partner with engineering teams to explain risk and design scalable remediations.
• Drive Secure by Default initiatives by defining guardrails and eliminating insecure defaults.
• Influence application and platform design early in the development lifecycle.
• Help shape security standards and architectural guidance.
• Mentor engineers and security team members.
• Collaborate with detection, monitoring, and incident response teams.
• Deep expertise in Application Security with a strong offensive / attacker mindset.
• Proven experience finding critical and systemic vulnerabilities in large-scale applications.
• Strong understanding of web application security, authentication, authorization, API security, injection attacks, logic flaws, access control bypasses, secure design, and threat modeling.
• Hands-on experience with manual security testing.

Good to Have

• Experience driving platform-level or framework-level security improvements.
• Background in security research, vulnerability discovery, or red teaming.
• Experience influencing or leading Secure by Default / security-by-design initiatives.
• Familiarity with cloud-native architectures, microservices, and large distributed systems.
• Ability to balance security rigor with product velocity and developer experience.

Perks & Benefits

• Benefits and resources to support work-life balance.
• AI agents to accelerate impact.

Principal Application Security Expert (Offensive Security & Research)

Role Overview

We are looking for a Principal Application Security Expert with a strong offensive security and research mindset to lead the discovery, analysis, and remediation of critical and systemic application security vulnerabilities across our products and platforms.

This role goes beyond finding individual bugs — it focuses on identifying root causes, architectural weaknesses, and recurring security anti-patterns, and driving secure-by-default solutions that prevent entire classes of vulnerabilities in the future.

You will work as a trusted partner to engineering teams, influencing design decisions, improving security posture at scale, and raising the overall security maturity of our applications.

Key Responsibilities

• Lead offensive security assessments (manual testing, code review, architectural analysis, threat modeling) across complex application ecosystems.
• Discover critical, high-impact, and systemic vulnerabilities rather than isolated or one-off issues.
• Conduct security research to identify emerging attack vectors, abuse cases, and bypass techniques relevant to our applications and platforms.
• Partner closely with software engineers, tech leads, and architects to:
• Clearly explain risk, impact, and exploitability
• Design and implement effective remediations
• Ensure fixes are scalable, maintainable, and aligned with engineering realities
• Drive Secure by Default initiatives by:
• Defining security guardrails, patterns, and baseline controls
• Eliminating insecure defaults and unsafe configurations
• Preventing future vulnerabilities through platform-level and framework-level changes
• Influence application and platform design early in the development lifecycle to prevent vulnerabilities before they are introduced.
• Help shape security standards, best practices, and architectural guidance for application development.
• Mentor engineers and security team members, raising overall security awareness and offensive security skills.
• Collaborate with detection, monitoring, and incident response teams to improve visibility into real-world exploitation.

Required Qualifications

• Deep expertise in Application Security with a strong offensive / attacker mindset.
• Proven experience finding critical and systemic vulnerabilities in large-scale or complex applications.
• Strong understanding of:
• Web application security (OWASP Top 10 and beyond)
• Authentication & authorization flaws
• API security
• Injection attacks, logic flaws, access control bypasses
• Secure design and threat modeling
• Hands-on experience with manual security testing (not relying solely on automated tools).
• Ability to translate complex security findings into clear, actionable guidance for engineers.
• Strong communication skills and experience working collaboratively with engineering teams.

Preferred Qualifications

• Experience driving platform-level or framework-level security improvements.
• Background in security research, vulnerability discovery, or red teaming.
• Experience influencing or leading Secure by Default / security-by-design initiatives.
• Familiarity with cloud-native architectures, microservices, and large distributed systems.
• Ability to balance security rigor with product velocity and developer experience