AppSec Jobs
← Back to all jobs

Salesforce

Product Security Engineer

San Francisco, CAPosted 3 days ago$117,200 - $176,700 annually; In select cities within the San Francisco and New York City metropolitan area, the base salary range for this role is $141,200 - $194,200 annuallyWebsite
Apply on LinkedIn →

At a Glance

AWSGCPPythonJavaOWASPSAST

About This Role

We are looking for a Product Security Engineer to join our Salesforce Product Security Advisors team. You will be the technical authority responsible for assessing and providing remediation advice for the ecosystem that powers our clouds. As a trusted security advisor, you'll serve as the primary point of contact for our engineering partners and leadership, cultivating strong relationships and delivering critical security recommendations. Your contributions will directly shape and enhance the security posture of our core platforms, ensuring the resilience and integrity of Salesforce's offerings. You'll sit at the intersection of application security and infrastructure, ensuring that every design decision follows thoughtful security principles and that implementation meets the highest security standards.

Responsibilities

  • Embed security controls throughout the entire Software Development Life Cycle (SDLC), lead deep-dive threat modeling sessions for complex Salesforce Marketing Cloud (SFMC) integrations, and perform manual, agentic, and automated secure code reviews across Java, C#, PHP, and Python.
  • Conduct and coordinate penetration tests for high-risk features on internal and external-facing assets, and design and evaluate robust authentication and authorization (AuthN/AuthZ) frameworks including modern identity protocols such as Security Assertion Markup Language (SAML), OAuth 2.0, and OpenID Connect (OIDC).
  • Audit and harden cloud infrastructure supporting our environment, ensuring least-privilege access, resilient configurations, and adherence to security best practices.
  • Provide subject-matter expertise on identity management, email and messaging platform security, and Agentic AI, translating complex technical risks into clear business impact for engineering partners and leadership.

Requirements

OWASPJavaPythonSnykSemgrepDASTSASTOSCPAWSGCP
  • 5+ years in offensive or defensive security roles with a proven track record of securing enterprise-level cloud platforms, including expertise in OWASP Top 10 and SANS Top 25
  • Working knowledge of at least two of the following languages: Java, C#, PHP, or Python
  • Familiarity with security tooling such as Snyk, Semgrep, GitHub Actions, Dynamic Application Security Testing (DAST), and Static Application Security Testing (SAST)
  • Strong communication skills with the ability to translate complex vulnerabilities such as heap-buffer overflows or Insecure Direct Object References (IDOR) into business risk
  • Curiosity and willingness to adopt AI tools to work smarter, deliver better results, and continuously grow technical knowledge
  • Offensive security certifications such as Offensive Security Certified Professional (OSCP), Offensive Security Web Expert (OSWE), or GIAC Web Application Pentester (GWAPT) (Preferred)
  • AWS Cloud Security Specialist or Google Cloud Platform (GCP) Cloud Security Expert certification (Preferred)
  • Active participation in bug bounty programs (HackerOne, Bugcrowd) or contributions to open-source security tools and research (Preferred)
  • Experience with the Salesforce ecosystem and applying AI tools such as Claude, Cursor, or Gemini to security assessments (Preferred)

Benefits & Perks

Time off programs
Medical, dental, vision insurance
Mental health support
Paid parental leave
Life and disability insurance
401(k)
Employee stock purchasing program

About Salesforce

Salesforce is a global leader in cloud computing, founded in 1999 in San Francisco by Marc Benioff and his team. The company pioneered the Software-as-a-Service (SaaS) model, providing customer relationship management (CRM) solutions that are delivered entirely over the internet. This innovation has transformed how businesses engage with their customers by simplifying software installation and maintenance. The core offering of Salesforce is its cloud-based CRM platform, which helps businesses manage sales, customer service, marketing, and analytics. The company also provides a platform for building custom applications and hosts AppExchange, a marketplace for third-party business apps. Salesforce offers various cloud solutions, including Sales Cloud, Service Cloud, and Marketing Cloud, all designed to enhance customer engagement and streamline business operations. With mobile access and integrated automation tools, Salesforce supports a flexible and efficient work environment for its users. Salesforce serves a diverse range of customers, from small businesses to large enterprises, across multiple industries, including technology, finance, and healthcare. Its commitment to customer success and innovation has established it as a dominant player in the cloud computing industry.

Industry

information technology & services

Employees

77,000

17468 engineers

Revenue

$38B

Website

Visit →

Security at Salesforce

Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.

3 Intel Signals

Security Philosophy

Salesforce's AppSec philosophy is rooted in trust, stating that 'Trust is the bedrock of our company.' They view cybersecurity as a 'shared responsibility' and aim to 'Build apps that users can trust.' Their risk philosophy emphasizes prevention, with the belief that 'Prevention is better than cure.' A stated goal is the 'finding and fixing of bugs.' However, information regarding reporting lines (e.g., to CISO vs CTO) is not publicly available.

Security Team

Salesforce has a large, cross-cloud security organization, but the specific AppSec reporting chain is not publicly available. Key public-facing leaders include Prashant Vadlamudi (Senior Vice President, Product Security), Andrew O. Leeth (Senior Director, Product Security), and Blake Carpenter (Product Security leader). An estimated team size is ~30-40 based on public LinkedIn profiles. Active AppSec job postings count is not publicly available due to a service interruption on Workday careers. Common skill and tool patterns include 'embedding SAST, DAST, and SCA tools into CI/CD pipelines' and scanning Apex, Visualforce, and Lightning code pages. DigitSec is noted as an application security testing platform for Salesforce DevSecOps. A consolidated public org chart or explicit team size is not published by Salesforce for AppSec.

Key Initiatives

Salesforce's AppSec initiatives include 'Shift Left' practices such as performing 'a static analysis scan of all unpackaged code' and scanning Apex, Visualforce, and Lightning code pages. Their vulnerability management process includes a publicly published 'Responsible Disclosure Policy' for intake. While Salesforce 'maintains security incident management policies and procedures,' specific MTTR or SLA targets for AppSec remediation are not publicly available. Automation and detection leverage 'Threat Detection events... designed using statistical and machine learning methods.' Secure SDLC artifacts involve gathering 'security requirements before any design or development work begins' and reviews 'Through a combination of automation, manual review, and well-defined processes.' Recent initiatives include Security Center and AI/LLM-focused guidance, with 'Shield provides powerful prevention capabilities' and efforts in 'Mitigating LLM Risks Across Salesforce's Gen AI Frontiers.' Information on a security champions program, detailed vulnerability SLAs, and a published AppSec org reporting line are not publicly available.

Preparing for an AppSec interview?

Get the weekly briefing 2,000+ security pros trust.

Interested in this role?

Apply on LinkedIn