AppSec Jobs
← Back to all jobs

Box

Staff Security Engineer

Warsaw, Mazowieckie, PolandWebsite

Full details on LinkedIn

The complete job description, requirements, and application details are available on the original posting.

About Box

Box, Inc. is a leading independent cloud content management platform that focuses on secure storage, sharing, collaboration, and workflow automation for enterprise content. Founded in 2005, Box transitioned from a consumer-focused service to an enterprise solution, emphasizing security and compliance. The company is headquartered in Redwood City, California, and has seen significant growth since its inception. Box offers a SaaS platform that manages the full content lifecycle. Its features include cloud storage and file sharing, collaboration tools for real-time editing, and advanced security measures tailored for enterprises. The platform also supports integrations and automation through APIs, enhancing its functionality with features like AI and e-signatures. Box serves a variety of industries, including financial services, healthcare, media, technology, and government, catering to businesses of all sizes.

Industry

information technology & services

Employees

2,900

1036 engineers

Revenue

$1.1B

Website

Visit →

Security at Box

Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.

3 Intel Signals

Security Philosophy

Stated AppSec Mission: "At Box, security and compliance are part of our DNA."– Box Trust Center (https://www.box.com/trust), Trust Center , ⚠️ "Application security: Protects devices and software programs from threats"– Blog: What is information security (https://blog.box.com/what-is-information-security), Blog , Developer Enablement vs. Gatekeeping: "Ship MVPs and iterate on security automation"– Senior Manager, Product Security Engineering (Job ID: 7336934), Job Posting , ⚠️ "embed requirements into patterns, platforms, and CI/CD/SAST/DAST workflows."– Senior Security Engineer (ZipRecruiter posting referencing Box job), Job Posting , Risk Philosophy: "Box has an established Enterprise Risk and Resiliency program"– Box Trust Center (https://www.box.com/trust), Trust Center , ⚠️ "Drive a breaker–builder approach"– Senior Manager, Product Security Engineering (Job ID: 7336934), Job Posting , ⚠️ Stated Pain Points or Goals (Verbatim): "Build capabilities, modules and mechanisms to eliminate classes of vulnerabilities"– Senior Security Engineer (ZipRecruiter posting referencing Box job), Job Posting , "Support and triage submissions for Bug Bounty and VDP programs"– Senior Security Engineer (ZipRecruiter posting referencing Box job), Job Posting , Gaps & Contradictions: - Reporting chain for AppSec (who AppSec reports to: CISO/CTO/etc.) — Information not publicly available. - Explicit company-wide AppSec metrics/KPIs published externally — Information not publicly available.

Security Team

Org Structure & Reporting Line: - Evidence of a centralized Product & Platform Security Engineering capability and collaboration with Assurance & Architecture teams: "build and lead a high-impact engineering team in Warsaw focused on scaling security"– Senior Manager, Product Security Engineering (Job ID: 7336934), Job Posting , ⚠️ - Reporting line specifics and org-chart level reporting (e.g., reports to CISO or CTO) — Information not publicly available. Key Public-Facing Leaders: - No named, public-facing AppSec leader (title containing "Application Security"or "AppSec") was found on Box executive leadership pages: Information not publicly available. Team Size Estimate (as_of:): LinkedIn Search Query Used: "Box Application Security"filters: People; Location: Global Result: Information not publicly available (no verifiable public headcount statement found). Active AppSec Job Postings (as_of:): Count: At least 3 active postings located (evidence below): Staff Security Engineer (AI Security); Senior Manager, Product Security Engineering; Senior Security Engineer. See job citations. (Evidence IDs: E-010, E-006, E-008) Common Skill/Tool Patterns (verbatim evidence): "SAST, DAST, SCA, API security scanning"– Staff Security Engineer (AI Security) (Job ID: 6637723), Job Posting , ⚠️ "fuzzing"– Senior Manager, Product Security Engineering (Job ID: 7336934), Job Posting , ⚠️ "software supply chain security (SBOM, signing, provenance)"– Senior Manager, Product Security Engineering (Job ID: 7336934), Job Posting , ⚠️ "Proficient in at least one scripting language (e.g. Python)"– Staff Security Engineer (AI Security) (Job ID: 6637723), Job Posting , ⚠️ Gaps & Contradictions: - Public list of individual AppSec engineers or org headcount by function — Information not publicly available.

Key Initiatives

Security Champions Program: Status: Evidence Found "Support engineers and security champions"– Senior Security Engineer (ZipRecruiter posting referencing Box job), Job Posting , (Interpretation note: the phrase is sourced from a Box job posting indicating the existence of "security champions"support responsibilities.) "Shift Left"in Practice: "Secure software development is of utmost importance to the Software Development Lifecycle (SDLC) at Box."– Box Trust Center (https://www.box.com/trust), Trust Center , ⚠️ "embed requirements into patterns, platforms, and CI/CD/SAST/DAST workflows."– Senior Security Engineer (ZipRecruiter posting referencing Box job), Job Posting , "Ship MVPs and iterate on security automation"– Senior Manager, Product Security Engineering (Job ID: 7336934), Job Posting , ⚠️ Vulnerability Management Process (Intake, Triage, Remediation): Intake: "Box performs authenticated and unauthenticated network vulnerability scans of our production environment"– Box Trust Center (https://www.box.com/trust), Trust Center , ⚠️ Remediation SLAs: "We remediate our critical-severity findings within 48 hours"– Box Trust Center (https://www.box.com/trust), Trust Center , ⚠️ Penetration Testing: "Annual penetration testing is performed on Box's Web Application, Mobile Application, APIs"– Box Trust Center (https://www.box.com/trust), Trust Center , ⚠️ Bug Bounty / VDP: "Support and triage submissions for Bug Bounty and VDP programs"– Senior Security Engineer (ZipRecruiter posting referencing Box job), Job Posting , Secure SDLC Artifacts: "Threat modeling"– Box Trust Center (https://www.box.com/trust), Trust Center , ⚠️ "Static code analysis"– Box Trust Center (https://www.box.com/trust), Trust Center , ⚠️ "Dynamic code analysis"– Box Trust Center (https://www.box.com/trust), Trust Center , ⚠️ "security reviews for all major features"/ "security, legal and compliance reviews for critical products and services"– Box Trust Center (https://www.box.com/trust), Trust Center , ⚠️ Recent Initiatives (Last 6 Months): - No explicit, AppSec-specific program announcements or tool rollouts dated within the last six months were found in public Box pages or blogs. Statement: Information not publicly available. Gaps & Contradictions: - Public, dated announcements of AppSec tool rollouts (specific vendor/tool names and rollout dates within last 6 months) — Information not publicly available.

Preparing for an AppSec interview?

Get the weekly briefing 2,000+ security pros trust.