Security Engineer

Costco IT is responsible for the technical future of Costco Wholesale, the third largest retailer in the world with wholesale operations in fourteen countries. Despite our size and explosive international expansion, we continue to provide a family, employee centric atmosphere in which our employees thrive and succeed.

This is an environment unlike anything in the high-tech world and the secret of Costco's success is its culture. The value Costco puts on its employees is well documented in articles from a variety of publishers including Bloomberg and Forbes. Our employees and our members come FIRST. Costco is well known for its generosity and community service and has won many awards for its philanthropy. The company joins with its employees to take an active role in volunteering by sponsoring many opportunities to help others.

Come join the Costco Wholesale IT family. Costco IT is a dynamic, fast-paced environment, working through exciting transformation efforts. We are building the next generation retail environment where you will be surrounded by dedicated and highly professional employees.

Security Engineers develop, design, implement, and integrate security systems used to safeguard enterprise assets against cyber-attack. Security Engineers drive innovation, influence delivery, and maximize performance. They deliver high-quality artifacts, develop and run security tests and continuously tune security tools for optimization. Security Engineers identify gaps and inefficiencies and work with the business to implement solutions based on their requirements.

As part of the Digital Site Security team the DevOps Security Engineer will be focused on improving the security posture and delivery of new and enhanced security capabilities for Costco BC and BD properties.

Provides security and technical expertise to create, implement, and support the development of security objectsincluding Fastly CDN configurations, custom VCL logic, and Terraform-managed resourcesto satisfy business requirements.

Analyzes, builds, operates, and administers security policies to control physical and virtual system access and configurations, including on Fastly edge computing and cloud platforms.

Identifies and investigates security issues, leveraging multiple dashboards, alerting, and configuration management, to develop security solutions that address compliance requirements and mitigate risks.

Identifies, develops, and implements mechanisms (such as Fastly security features, custom VCL, and automated Terraform deployments) to detect security incidents in order to enhance compliance and support security standards and procedures.

Assesses business role requirements, reviews authorization roles, and supports authorizations, including integration with edge security platforms.

Demonstrates a comprehensive skill set with testing authorizations for multiple environments (on-premises, cloud, and edge); coordinates and conducts testing with business/technical users.

Defines and validates system configurationsusing tools such as automated Terraform checksto ensure the safety of information system assets and protect information from intentional or inadvertent access or destruction.

Implements best practices using information systems security standards/practices, including access control, system hardening, audit/log file monitoring, security policies, and incident handling.

Designs and coordinates activities/engagements with cross-functional teams (loss prevention, legal, networking, DevOps), especially when deploying edge security and automation.

Identifies security gapsincluding in CDN, WAF, and API management layersthat may expose the business to exploitation, and develops prioritized remediation with available solutions.

Develops and executes security controls, defenses, and countermeasures to intercept and prevent internal/external threats and data infiltrations.

Determines strategy and protocol for network behavior, analysis techniques, and tool implementation, including the use of observability and orchestration tools.

Identifies and resolves problems, often anticipating issues before they occur; develops and evaluates technical optionsincluding edge and IaC (Infrastructure as Code) platformsand implements scalable, secure solutions.

Provides subject matter expertise in systems security policies, standards, protocols, technologies, with a focus on CDN and NGWAF.

Creates dashboards, configures alerts, and implements/supports security software platforms to monitor tools and applications.

Identifies opportunities for streamlining and increasing effectiveness using automation, scripting, and continuous process improvement.

Develops and documents security events and incident handling procedures into Playbooks, including scenarios involving CDN security incidents and automated remediation.

Triages, prioritizes, investigates, and coordinates security events and incident handling activities.

Works with internal and external auditors, providing evidence for in-scope regulatory requirements.

Designs, configures, and maintains a range of security controls across different environments.

Partners with stakeholders and Security Architects to identify and implement security solutions that support business requirements, leveraging automation best practices.

Required

5+ years' experience in Security Engineering, edge computing, Fastly experience.

Experience working with WAFs and CDNs such as Akamai and Fastly.

Experience in offensive security roles, such as penetration testing or ethical hacking.

Experience with Security Engineering of sites hosted in Public Cloud (Google, Azure).

Proficiency in scripting and programming languages (e.g. Python, JS, Java, SQL, Terraform, VCL) for tool development and automation.

Strong understanding of operating systems, network protocols, and web application security.

Extensive experience with security tools and frameworks (e.g. Kasada, Microsoft DFP, Bloodhound, Cobalt Strike).

Vast experience in performing code review to identify vulnerabilities.

A passion for cybersecurity and a commitment to staying current with emerging threats and industry trends.

Recommended

Bachelor's/Master's degree or equivalent experience in Computer Science, Information Security, or a related field.

One or more professional network and security certifications such as Security+, Network+, CCNA, GSEC, CISA, or CISSP (or equivalent work experience).

Experience performing computer forensics.

Familiarity ITILv2/v3 processes such as Service Support, Service Delivery, or Continual Service Improvement.

Familiarity with Regulatory Compliance and industry standards, such as HIPAA, SOX, and PCI.

Familiarity in a DevOps or DevSecOps environment.

Proficient in Google Workspace applications, including Sheets, Docs, Slides, and Gmail.

Required Documents

Cover Letter

Resume

Pay Ranges:

Level SR - $150,000 - $190,000, Bonus and Restricted Stock Unit (RSU) eligible

Level Staff - $180,000 - $225,000, Bonus and Restricted Stock Unit (RSU) eligible

We offer a comprehensive package of benefits including paid time off, health benefits - medical/dental/vision/hearing aid/pharmacy/behavioral health/employee assistance, health care reimbursement account, dependent care assistance plan, short-term disability and long-term disability insurance, AD&D insurance, life insurance, 401(k), stock purchase plan to eligible employees.

Costco is committed to a diverse and inclusive workplace. Costco is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or any other legally protected status. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request to IT-Recruiting@costco.com

If hired, you will be required to provide proof of authorization to work in the United States.