PayPal
Staff Product Security Engineer
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About PayPal
PayPal is a global financial technology company that has been enhancing commerce for over 25 years. It enables secure and personalized money movement, shopping, and selling across approximately 200 markets. Originally founded as Confinity, Inc. in 1998, PayPal launched its core product in 1999, allowing users to send money via email using bank accounts and credit cards. The company focuses on inclusion, innovation, collaboration, and wellness, aiming to return more money to customers quickly through its services. PayPal offers a variety of payment and financial services for consumers, merchants, and businesses. Its core payment solutions allow secure online transactions, while business tools provide a unified platform for payment acceptance and operational efficiency. The company also offers working capital loans, transaction management features, and additional tools like a PayPal ATM/debit card and developer APIs for integrations. Through PayPal Ventures, the company invests in startups across various sectors, supporting innovation in fintech and commerce.
Security at PayPal
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“* **Stated AppSec Mission:** PayPal emphasizes creating strong, secure payment systems and integrating security into every layer of the system. "Security is a top priority, and PayPal enforces strict guidelines."– PayPal security guidelines for developers (https://docs.paypal.ai/developer/how-to/security-guidelines), Official Documentation * **Developer Enablement vs. Gatekeeping:** PayPal provides security guidelines, tools, and best practices for developers to integrate payments securely. "PayPal provides a robust set of APIs and SDKs for integrating payments into your applications."– PayPal security guidelines for developers (https://docs.paypal.ai/developer/how-to/security-guidelines), Official Documentation * **Risk Philosophy:** PayPal employs real-time risk monitoring and identity verification. "PayPal continuously examines transaction trends and user behavior. Its AI-powered risk engines immediately detect any suspicious activity."– Inside PayPal's Security Testing (https://www.frugaltesting.com/blog/inside-paypals-security-testing-how-your-digital-wallet-stays-safe), Blog Post * **Stated Pain Points or Goals (Verbatim):** Information not publicly available.”
Security Team
* **Org Structure & Reporting Line:** The "Threat Exposure Management team, is part of Product Security, and helps to drive PayPal's vulnerability management program."– Application Security Engineer Job Posting (https://www.tealhq.com/job/application-security-engineer_d4ea0c62-0cd3-4e9c-a719-fd441a24eb4a), Job Posting * **Key Public-Facing Leaders:** * **David Messerschmidt, Product Security @ PayPal** – LinkedIn Profile (https://www.linkedin.com/in/davidmess) * Key Quote: "David oversees the Application Security program for PayPal business units."– David Messerschmidt LinkedIn Profile (https://www.linkedin.com/in/davidmess), LinkedIn Profile * **Hao Wang, Director Offensive Security @ PayPal** – LinkedIn Profile (https://www.linkedin.com/in/haowang86) * Key Quote: "Hao currently leads Offensive Security at PayPal."– Hao Wang LinkedIn Profile (https://www.linkedin.com/in/haowang86), LinkedIn Profile ⚠️ staleness flag * **Team Size Estimate (as_of:):** Information not publicly available. * **Active AppSec Job Postings (as_of:):** * **Count:** At least 1 (Application Security Engineer, Sr Staff Product Security Engineer). * **Common Skill/Tool Patterns:** SAST, SCA, Secrets, vulnerability management, API security testing, mobile app security testing. "You will focus on vulnerability identification methods, such as, but not limited to Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Secrets."– Application Security Engineer Job Posting (https://www.tealhq.com/job/application-security-engineer_d4ea0c62-0cd3-4e9c-a719-fd441a24eb4a), Job Posting
Key Initiatives
* **Security Champions Program:** Information not publicly available. * **"Shift Left"in Practice:** PayPal uses SAST to analyze code early in the development process. "Analyzes code early in the development process, without executing the application."– Inside PayPal's Security Testing (https://www.frugaltesting.com/blog/inside-paypals-security-testing-how-your-digital-wallet-stays-safe), Blog Post * **Vulnerability Management Process:** * **Intake:** PayPal has a Bug Bounty Program. "PayPal has partnered with HackerOne to engage the security research community."– PayPal Secure Technology (https://www.paypal.com/us/security/learn-about-paypal-secure-technology), Official Documentation * **Triage/Remediation:** There must be a vulnerability management process. "Vulnerabilities should be categorized by criticality, and the relevant patches applied based on that criticality designation."– Security guidelines and best practices (https://developer.paypal.com/reference/guidelines/info-security-guidelines/), Official Documentation * **Secure SDLC Artifacts:** PayPal conducts API security testing, mobile app security testing, and regression testing. "PayPal uses a variety of api security testing tools to make sure APIs are resistant."– Inside PayPal's Security Testing (https://www.frugaltesting.com/blog/inside-paypals-security-testing-how-your-digital-wallet-stays-safe), Blog Post * **Recent Initiatives (Last 6 Months):** PayPal security researchers (Hao Wang, Caleb Sargent, Harrison Pomeroy) plan to disclose novel email spoofing attack patterns at Black Hat USA. – 20 Million Trusted Domains Vulnerable to Email Hosting Exploits (https://www.darkreading.com/threat-intelligence/20-million-trusted-domains-vulnerable-to-email-hosting-exploits), News Article ⚠️ staleness flag
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.