Job Overview  

As a Product Security Engineer at CelerData, you’ll embed with our platform and cloud teams to design and build secure-by-default features for StarRocks and CelerData Cloud. You will drive threat modeling, security assurance, and automation across our control plane, data plane, and BYOC (bring-your-own-cloud) deployments. Your work will span identity, secrets and key management, container/Kubernetes hardening,operating security tooling, and vulnerability management—scaling security through paved roads, tooling, and code.

Key Responsibilities  

• Secure design & threat modeling: Partner with PM/engineering to review architectures and data flows (SaaS, on-prem, BYOC). Define security requirements and mitigations for features such as multi-tenant isolation, row/column-level security, auditing, and encryption.
• Security Process: Develop processes, tooling and automation to scale security processes and mitigate risks to the business
• Cloud & Kubernetes hardening: Establish secure baselines for AWS/Azure/GCP; least-privilege IAM; network segmentation and private connectivity (e.g., PrivateLink/Private Endpoint); runtime policies (e.g., Cilium/Calico), admission controls, and secrets handling for K8s.
• Identity & secrets: Advance SSO/MFA for customers and internal systems; standardize OIDC/SAML flows; engineer passwordless and m2m auth; manage KMS/HSM-backed key lifecycles; integrate with Vault for automated rotation.
• Data protection: Ensure encryption in transit/at rest for object stores (S3/ADLS/GCS) and internal services; define data classification and tokenization/obfuscation patterns where appropriate.
• Vulnerability management & assurance: Run coordinated scanning/fuzzing (including C++ components), triage reports (bug bounty/responsible disclosure), drive fixes to closure with clear SLAs, and commission targeted pentests.
• Detection enablement: Improve security telemetry across control and data planes; contribute product-centric detections/runbooks for abuse, exfiltration, or privilege misuse.
• Incident readiness: Maintain product incident playbooks; participate in investigations affecting CelerData products and customers; lead post-mortems and drive durable remediation.
• Developer enablement: Provide clear guidance, examples, and “paved road” modules (Terraform/K8s manifests, SDK patterns). Deliver practical, lightweight training on secure coding and secrets hygiene.

Qualifications  

Minimum Requirements

• 5+ years in product/application, platform, or cloud security supporting engineering teams shipping distributed systems at scale (or comparable impact).
• Hands-on with at least one major cloud (AWS/Azure/GCP) and Kubernetes security (RBAC, admission, PSP replacements, runtime policies, image signing).
• Proficiency in at least one of: Python or Go for automation; plus the ability to read and review C++ and/or Java for security implications.
• Solid grasp of authN/Z patterns (OIDC/SAML, OAuth2, service-to-service auth), secrets and key management (KMS/HSM, Vault), and TLS mTLS fundamentals.
• Experience designing controls for multi-tenant SaaS or BYOC architectures (isolation, network egress controls, private connectivity, least-privilege IAM).
• Clear, pragmatic communicator who can influence design, document decisions, and drive cross-team execution.

Preferred Qualifications

• Fuzzing experience (e.g., libFuzzer/AFL/OSS-Fuzz) or sanitizers for native code; prior work securing OLAP/DB, storage engines, or high-performance C++ services.
• IaC security (Terraform + Conftest/OPA checks), cloud org guardrails, SCP/Config/Policy, and drift detection.
• Familiarity with data security features (RLS/CLS, masking, audit/eventing) in analytics platforms.
• Contributions to open-source projects (StarRocks/ClickHouse/Trino ecosystems a plus).
• Relevant certifications (AWS/Azure/GCP security, CNCF/K8s), or equivalent demonstrable experience