AppSec Jobs
← Back to all jobs

Okta

Staff Product Security Engineer, Reviews

Barcelona, Catalonia, SpainPosted 2 days ago€74.000—€101.000 EURWebsite
Apply on LinkedIn →

At a Glance

PythonJavaGoOWASPPen TestingThreat Modeling

About This Role

As a Staff Product Security Engineer, you will play a critical role in safeguarding Okta's products by conducting comprehensive security reviews, guiding engineering teams in secure development practices, and handling externally reported vulnerabilities. You will engage in code reviews, penetration testing, and architectural security assessments to ensure the security of Okta's platforms and features. This role is not suited for individuals who rely solely on automated vulnerability scanning. Instead, you must possess a deep technical understanding of web applications, backend services, penetration testing methodologies, and secure design principles. A successful candidate will have expertise in authentication protocols (SAML, OAuth, OIDC), threat modeling, and a strong desire to automate security processes by building tools that proactively identify vulnerabilities. You will also be responsible for communicating risks, impact, and remediation strategies to developers, leadership, and external audiences through documentation, presentations, and external publications. The ideal candidate will also demonstrate a deep technical background in assessing AI-integrated software architectures and securing Large Language Models (LLMs) against emerging threats and modern vulnerability classes. The ideal candidate will have an attacker mindset—the ability to think critically, creatively, and like an adversary when solving security challenges. We actively support public disclosure of research and findings through white papers, blog posts, and conference presentations.

Responsibilities

  • Conduct security reviews, including design reviews, threat modeling, and penetration testing of new features and major changes.
  • Perform manual secure code reviews across multiple programming languages.
  • Identify and mitigate security vulnerabilities, providing clear guidance to engineering teams.
  • Lead product security incidents, assess risks, and drive remediation efforts.
  • Develop security tools and automation to improve vulnerability detection and assessment.
  • Mentor junior engineers and provide guidance to non-security staff on secure development practices.
  • Represent Okta externally through security research, conference talks, and publications.

Requirements

OWASPJavaGoPythonSASTDASTSCA
  • Expertise in identifying OWASP Top 10 / CWE Top 25 vulnerabilities through manual code review.
  • Strong experience in penetration testing and secure development practices.
  • Deep technical background in assessing Large Language Models (LLMs) and securing AI-integrated software architectures.
  • Proficiency in multiple programming languages (e.g., Java, Go, Python, C/C++).
  • Deep understanding of authentication & authorization protocols (OIDC, SAML, OAuth).
  • Strong communication skills to explain risks and remediation to developers and leadership.
  • Ability to automate security testing using LLMs and scripting (Python, Bash, etc.).
  • Experience leading security incidents and risk assessments.
  • Experience in mobile (iOS/Android) and desktop (Windows/macOS) security testing.
  • Familiarity with SAST, DAST, SCA, and fuzzing tools.
  • Strong cryptographic knowledge and secure implementation practices.
  • Experience analyzing network protocols and traffic security.
  • Ability to develop proof-of-concept exploits to demonstrate vulnerabilities.

Benefits & Perks

Equity (where applicable)
Bonus
Comprehensive healthcare coverage
Financial benefits including paid time off
Parental leave
Supporting Your Well-Being
Driving Social Impact
Developing Talent and Fostering Connection + Community
Global community spanning over 20 offices worldwide
Immersive, in-person onboarding experience

About Okta

Okta, Inc. is a technology company based in San Francisco, founded in 2009 by Todd McKinnon and Frederic Kerrest. The company specializes in cloud-based identity and access management (IAM) solutions, including Identity-as-a-Service (IDaaS). Okta's Identity Cloud enables secure connections between users and technology, allowing organizations to manage user authentication for employees, customers, and partners across various applications and devices. Key offerings include Single Sign-On (SSO), which simplifies access to multiple cloud applications with one set of credentials, and Identity Governance and Privileged Access Management (PAM) for secure access controls. Okta has experienced significant growth, serving over 19,100 customers and reporting $2.263 billion in revenue for FY2024. The company is recognized for its influence in identity management and is committed to security and community initiatives through programs like Okta for Good.

Industry

information technology & services

Employees

6,000

1917 engineers

Revenue

$2.6B

Website

Visit →

Security at Okta

Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.

3 Intel Signals

Security Philosophy

  • Okta's stated mission is to ensure security is prioritized from the outset through its Secure Development Lifecycle.
  • The company embeds members of its Security Education team throughout the engineering organization, emphasizing security as a core corporate value.
  • Okta maps its risk philosophy to the NIST Cybersecurity Framework (CSF) 2.0 and aims to drive down exposure to server security misconfigurations.

Security Team

Okta's Product Security Incident Response Team (PSIRT) focuses on identifying, assessing, and managing risks. They also have a Security Champion Network led by their Security Education team. David Bradbury is the Chief Security Officer. The exact team size and reporting chain are not publicly available. Multiple active job postings for Product/Security Engineering roles mention common skills like Software Composition Analysis (SCA), Static Application Security Testing (SAST), DAST, and development expertise in languages like Go and/or Python, along with experience in GitHub and CI/CD systems (GitHub Actions, Jenkins).

Key Initiatives

  • Okta runs a Security Champions program led by its Security Education team.
  • They practice 'shift-left' by planning and building with a security-centric lens from the outset.
  • Vulnerabilities are managed through intake from various sources, including security researchers, bug bounty programs, employees, partners, or customers.
  • Okta's Bug Bounty Program has rewarded over 400 issues.
  • The Product Security Incident Response Team (PSIRT) is activated for immediate customer impact.
  • Secure SDLC artifacts include Software Bill of Materials (SBOM) and routine penetration testing.
  • Recent initiatives (within the last 6 months) include establishing regional security culture groups and mapping to the NIST CSF 2.0.

Preparing for an AppSec interview?

Get the weekly briefing 2,000+ security pros trust.

Interested in this role?

Apply on LinkedIn