Paranoids Vulnerability Management Lead

Yahoo serves as a trusted guide for hundreds of millions of people globally, helping them achieve their goals online through our portfolio of iconic products. For advertisers, Yahoo Advertising offers omnichannel solutions and powerful data to engage with our brands and deliver results.

A Little About Us 

When you impact millions of people every day, you become a large target for adversaries of all types within all layers of the stack. Our job is to keep our users safe and make Yahoo one of the safest places on the Internet. We are the information security team at Yahoo; known as "The Paranoids"

About Our Team 

Our job is to keep our users safe and make Yahoo one of the safest places on the Internet. The Vulnerability & Controls Operations team finds, triages, and tracks security weaknesses across infrastructure and cloud environments. We identify high-risk issues like zero-day vulnerabilities and cloud exposures.

A Lot About You 

 We are looking for a Senior Security Engineer to serve as the lead for Vulnerability Management. This is a hybrid role that requires strong engineering skills and operational leadership. You will be the engine behind the scenes. You will identify and drive mitigation of vulnerabilities, manage requirements for automation, oversee vendor relationships, and utilize large datasets to identify risks.

You will also stand on the front lines. You must have critical vulnerability handling experience. When a major threat emerges you will help lead the coordination and response. You will work alongside analysts, engineers, and senior leadership to manage these remediation efforts. 

Key Responsibilities

•  Direct the coordination and remediation of high-severity security vulnerabilities. 

• Manage the process from detection, assessment, communication, remediation coordination of security vulnerabilities.

• Use Databricks to parse and analyze massive datasets in order to address vulnerabilities across the company. 

• Identify vulnerability trends across the company and create reports for senior leadership.

• Oversee the technical requirements for vulnerability scanning vendors. 

• Configure scanners to match our changing environment and manage the vendor relationship to attain the features required.

• Perform vulnerability scan, analysis, validation and remediation activities.

• Validate vulnerabilities discovered through scans and code analysis. 

• Prioritize risks based on the specific context of the Yahoo environment, distinct mitigating factors, and assessment of the impacts of internal and external threat factors.

• Own, maintain, and create the operational process documentation and vulnerability handling runbooks regarding program execution.

• Work with product teams, developers, and system administrators to explain security risks, and provide remediation guidance for vulnerabilities. 

• Provide security subject matter expertise to Yahoo product teams including developers and system administrators. 

• Watch public and proprietary sources for vulnerability information. 

• Assess the impact of zero-day threats and recommend immediate action. 

• Research and assess new threats, vulnerability security trends and security alerts, recommend remedial action.

• Develop metrics and dashboards for vulnerability management functions.

• Perform technical and non-technical compliance activities, as needed.

• Participate in an on-call rotation and provide after-hours support to drive the resolution of critical vulnerability handling.

• Design, implement, and optimize AI-driven vulnerability management workflows to automatically identify, prioritize, and track remediation of security findings across cloud and on-prem environments.                                   

• Utilize AI tools for important vulnerability management tasks such as parsing, summarizing, and triaging large vulnerability datasets, researching emerging threats, zero-day vulnerabilities, and CVE analysis

• Use AI-assisted analysis to identify vulnerability trends and generate insights for leadership reporting  

Minimum Qualifications

•  Bachelor’s degree in a technical discipline (i.e., Computer Science, Engineering, Information Security) or equivalent practical experience.

• 7+ years of experience in information security, specifically within vulnerability management or security engineering.

• Strong understanding of common application, network, and OS vulnerabilities (Linux, Windows and OSX), patching, and attack patterns.

• Proven experience driving critical vulnerability remediation activities. 

• Ability to  lead coordination with stakeholders during high-pressure vulnerability remediation efforts.

• Extensive experience with core vulnerability management scanners (i.e., Tenable, Nexpose, Qualys, AWS Inspector, GCP SCC, Github Advanced Security).

• Experience with various vulnerability assessment solutions, vulnerability management, patch management, software development life cycle (SDLC), host based security systems, networking, systems administration, application development, cloud computing and information security best practices.

• Proficiency using AI tools to assist with coding, automation, and complex problem-solving.

• Proficiency with data analysis platforms. You should have experience using Databricks or similar tools to query and visualize large datasets to prioritize impactful vulnerabilities and reduce noise

• Proficiency in Python or Go. You are comfortable building automation, working with APIs, writing clean and testable code.

• Deep understanding of supply chain risks (such as NPM), dependency confusion attacks, and detection and handling of malicious package attacks.

• Stays up to date with current vulnerabilities and vulnerability related news in various industries.

• Strong understanding of common cloud platforms, such as AWS, GCP, and container technologies, (Kubernetes, AWS EKS, Docker)

• Familiarity with a variety of web application protocols, operating systems and networking technologies.

• Ability to work independently with limited data and operate with a high sense of urgency to shift priorities quickly in a fast-paced environment. 

Preferred Qualifications

• Certified Information Systems Security Professional (CISSP)

• Experience independently leading projects to completion

• Intermediate to advanced capabilities with Databricks for log analysis and dashboard creation.

• Background in software development life cycle (SDLC) and patch management.

• Experience collaborating with cross-functional teams, engineers, and leadership.

The material job duties and responsibilities of this role include those listed above as well as adhering to Yahoo policies; exercising sound judgment; working effectively, safely and inclusively with others; exhibiting trustworthiness and meeting expectations; and safeguarding business operations and brand integrity.

At Yahoo, we offer flexible hybrid work options that our employees love! While most roles don’t require regular office attendance, you may occasionally be asked to attend in-person events or team sessions. You’ll always get notice to make arrangements. Your recruiter will let you know if a specific job requires regular attendance at a Yahoo office or facility. If you have any questions about how this applies to the role, just ask the recruiter!

Yahoo is proud to be an equal opportunity workplace. All qualified applicants will receive consideration for employment without regard to, and will not be discriminated against based on age, race, gender, color, religion, national origin, sexual orientation, gender identity, veteran status, disability or any other protected category. Yahoo will consider for employment qualified applicants with criminal histories in a manner consistent with applicable law. Yahoo is dedicated to providing an accessible environment for all candidates during the application process and for employees during their employment. If you need accessibility assistance and/or a reasonable accommodation due to a disability, please submit a request via the Accommodation Request Form (www.yahooinc.com/careers/contact-us.html) or call +1.866.772.3182. Requests and calls received for non-disability related issues, such as following up on an application, will not receive a response.

We believe that a diverse and inclusive workplace strengthens Yahoo and deepens our relationships. When you support everyone to be their best selves, they spark discovery, innovation and creativity. Among other efforts, our 11 employee resource groups (ERGs) enhance a culture of belonging with programs, events and fellowship that help educate, support and create a workplace where all feel welcome.

The compensation for this position ranges from $128,250.00 - $266,875.00/yr and will vary depending on factors such as your location, skills and experience.The compensation package may also include incentive compensation opportunities in the form of discretionary annual bonus or commissions. Our comprehensive benefits include healthcare, a great 401k, backup childcare, education stipends and much (much) more.

Currently work for Yahoo? Please apply on our internal career site.