Crunchyroll
Staff Product Security Engineer
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Crunchyroll
Crunchyroll is a prominent streaming platform dedicated to anime, manga, and related media. Founded in 2006 by four graduates from the University of California, Berkeley, the company has grown from a user-uploaded video site to a leading name in the anime industry. Headquartered in San Francisco, Crunchyroll operates as a joint venture between Sony Pictures Entertainment and Aniplex. The platform offers a subscription video-on-demand service featuring licensed anime series, films, and original programming. Users can choose between ad-supported and premium subscription tiers. Crunchyroll also provides merchandise and collectibles through its store, which recently integrated Right Stuf. The company hosts sponsored events like Crunchyroll Expo, attracting thousands of attendees. With over 130 million registered users and 2.6 million paying subscribers worldwide, Crunchyroll is a key player in anime licensing and distribution, with offices in major cities including Tokyo, Paris, and Berlin.
Security at Crunchyroll
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“Crunchyroll's stated AppSec mission is to "Lead, mentor, and grow the Application Security team."Their approach to developer enablement involves "automating security (SAST/DAST) within CI/CD pipelines."The company's risk philosophy includes "managing third-party SDK risks (supply chain attacks)."A stated pain point or goal is "Vulnerability Research & Validation."There are no public verbatim statements found describing an overall AppSec charter on Crunchyroll-owned engineering/security pages, indicating that this information is not publicly available.”
Security Team
The AppSec team at Crunchyroll is structured to "report to the Senior Director of Fan Experience Engineering Service & Tools."A key public-facing leader is Maria M., a Staff AppSec Engineer, whose LinkedIn profile states, "Full stack developer turned security engineer."The team size estimate is not publicly available. The LinkedIn search query used was "site:linkedin.com Crunchyroll "Application Security" OR "AppSec""(global). As of, there are multiple active senior/Staff product security/AppSec role listings, including "Staff Product Security Engineer"and "Staff Engineering Application Security."Common skill and tool patterns from job postings include "anti-tamper, obfuscation, and RASP solutions (e.g., Promon, Guardsquare)", "reverse engineering tools (IDA Pro, Frida)", and knowledge of "OWASP MASVS and the OWASP Mobile Top 10."No public org chart, headcount, or named AppSec manager was found, indicating this information is not publicly available.
Key Initiatives
The status of a Security Champions Program is "No Evidence Found,"and information is not publicly available. Crunchyroll practices "Shift Left"by "automating security (SAST/DAST) within CI/CD pipelines."Their vulnerability management process includes "Vulnerability Research & Validation"for intake, but information on triage/remediation (SLAs, MTTR, ticketing ownership) is not publicly available. Secure SDLC artifacts mentioned include adherence to "OWASP MASVS and the OWASP Mobile Top 10"and practices like "HTTPS/TLS, cookie security (Secure, HttpOnly, SameSite)... Content Security Policy (CSP)."Recent initiatives (last 6 months) include active senior AppSec/product-security hiring, with listings such as "Staff Product Security Engineer"and "Staff Engineering Application Security."No public documentation was found describing vulnerability triage SLAs, security champion guidance, or a published AppSec roadmap, indicating these are not publicly available.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.