Paranoids Technical Security Engineer II - Product Security

It takes powerful technology to connect our brands and partners with an audience of hundreds of millions of people. Whether you’re looking to write mobile app code, engineer the servers behind our massive ad tech stacks, or develop algorithms to help us process trillions of data points a day, what you do here will have a huge impact on our business—and the world. Job Description As Yahoo, our brands help people stay informed and entertained, communicate and transact, while creating new ways for advertisers and partners to connect. With technologies like XR, AI and machine-learning we’re transforming media for tomorrow, too. We're creators and coders, dreamers and doers creating what's next in content, advertising and technology. About Our Team When you impact millions of people every day, you become a large target for adversaries of all types within all layers of the stack. Our job is to keep our users safe and make Yahoo one of the safest places on the Internet. We are the information security team at Yahoo; known as "The Paranoids". Responsibilities As a Paranoids Product Security Engineer, you have the opportunity to guide secure development for a product area and in addition, own and drive secure development initiatives affecting the overall enterprise. Activities include the following: Perform hands-on web and/or mobile application security assessments, identify vulnerabilities, and recommend mitigations. Assist with code reviews, design reviews, and security testing for new features and releases. Contribute to the development and improvement of internal security tools, playbooks, and documentation. Support incident response and vulnerability remediation by validating reported issues and coordinating with developers. Participate in ongoing learning, staying current with emerging threats and technologies relevant to the organization’s tech stack. Collaborate with Engineering teams to drive security initiatives. Minimum Requirements: 3 years of experience in application or product security, or in a related engineering discipline (backend, frontend, or mobile development) with a focus on secure design. Experience securing web and mobile applications, including performing code reviews, threat assessments, and vulnerability triage. Solid understanding of web security fundamentals — authentication, authorization, input validation, session management, encryption, and secure communications. Familiarity with common vulnerabilities and exposures (OWASP Top 10, CWE) and mobile application threats (MASVS, reverse engineering, insecure storage, API misuse). Hands-on experience using and tuning security testing tools such as SAST, DAST, dependency scanners, and mobile app assessment tools. Ability to work with developers to analyze findings, provide actionable remediation guidance, and validate fixes. Comfortable writing or reviewing code in one or more languages (e.g., Java, JavaScript/TypeScript, Python, Go, Swift, or Kotlin). Understanding of CI/CD security integration and secure development practices. Familiarity with API security concepts and basic knowledge of securing cloud-based applications. Strong communication skills — able to document findings, explain risk to engineers, and collaborate effectively with cross-functional teams. Preferred Exposure to threat modeling and secure design reviews for web or mobile applications. Experience with modern authentication mechanisms (OAuth 2.0, OpenID Connect, SAML, JWT). Working knowledge of containerized or cloud-native environments (Docker, Kubernetes, AWS/GCP/Azure). Familiarity with vulnerability management workflows, triage, and coordination with development teams. Experience building or maintaining security automation, such as CI/CD integrations or internal tools for scanning and reporting. Industry certifications such as GWEB, GWAPT, OSCP, or CSSLP are a plus. Yahoo is proud to be an equal opportunity workplace. All qualified applicants will receive consideration for employment without regard to, and will not be discriminated against based on age, race, gender, color, religion, national origin, sexual orientation, gender identity, veteran status, disability or any other protected category. Yahoo will consider for employment qualified applicants with criminal histories in a manner consistent with applicable law. Yahoo is dedicated to providing an accessible environment for all candidates during the application process and for employees during their employment. If you need accessibility assistance and/or a reasonable accommodation due to a disability, please submit a request via the Accommodation Request Form ( www.yahooinc.com/careers/contact-us.html ) or call +1.866.772.3182 . Requests and calls received for non-disability related issues, such as following up on an application, will not receive a response. Yahoo has a high degree of flexibility around employee location and hybrid working. In fact, our flexible-hybrid approach to work is one of the things our employees rave about. Most roles don’t require specific regular patterns of in-person office attendance. If you join Yahoo, you may be asked to attend (or travel to attend) on-site work sessions, team-building, or other in-person events. When these occur, you’ll be given notice to make arrangements. If you’re curious about how this factors into this role, please discuss with the recruiter. Currently work for Yahoo? Please apply on our internal career site.