Senior Security Software Engineer - Cloud & Infra Security Aliso Viejo, California,

Stub Hub is on a mission to redefine the live event experience on a global scale. Whether someone is looking to attend their first event or their hundredth, we’re here to delight them all the way from the moment they start looking for a ticket until they step through the gate. The same goes for our sellers. From fans selling a single ticket to the promoters of a worldwide stadium tour, we want Stub Hub to be the safest, most convenient way to offer a ticket to the millions of fans who browse our platform around the world.

Stub Hub Cloud & Infrastructure Security Engineering is seeking a senior engineer to enhance our security posture within the cloud and infrastructure domains. The perfect candidate will possess extensive experience in cloud security architecture, network security, and infrastructure automation, as well as a familiarity with container and operating system security.

Location:

Hybrid (3 days in office/2 days remote) – New York, NY or Santa Monica, CA or Aliso Viejo, CA

• Develop secure Cloud Account Architectures, focusing primarily on AWS, while understanding and navigating the trade-offs of various cloud architectures.
• Design and implement network security strategies that leverage security groups, NACLS, routing domains, and multi-tiered subnet architectures to ensure a defense‑in‑depth approach.
• Manage critical security logging and monitoring infrastructure for cloud‑native and third‑party data sources, ensuring their efficient shipping to Data Lakes and integration with visualization platforms.
• Operate and manage Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP), such as Wiz, Orca, Palo Alto Networks Prisma, and Rapid7 IC.
• Deploy configurations and infrastructure using Infrastructure as Code (IaC) frameworks, such as Terraform, Cloud Formation, and Pulumi.
• Develop and implement governance strategies for infrastructure deployment that integrate security best practices and enhance developer productivity.
• Architect and implement workload identity services, such as SPIRE (Spiffe), in a heterogeneous multi‑cloud environment.
• Architect and maintain PKI and secrets management platforms to ensure secure storage and access to sensitive information.
• Write and maintain production‑quality APIs to automate security processes, benefiting infrastructure and developer workflows.

• Expert level experience in AWS cloud account architecture.
• Expert level knowledge in Network Security, including experience with AWS networking primitives:
  Security Groups, Network Access Control Lists (NACLS), Subnetting, Routing, and egress traffic filtering mechanisms.
• Expert level proficiency in Identity & Access Management (IAM) Security, including experience with architecting AWS IAM roles & policy architectures for both human and machine access.
• Expert level communication skills and the ability to work effectively across teams.
• Expert level experience deploying and maintaining configurations and infrastructure using Terraform.
• Expert level experience with modern CSPM and CWPP tools (e.g., Wiz, Orca, Prisma, or Rapid7).
• Intermediate level experience with Secrets / key Management Platforms (e.g., AWS KMS, AWS Secrets Manager, Hashicorp Vault).
• Expert level experience in building and implementing IaC governance strategies that combine security best practices while enabling developer productivity.
• Intermediate level experience in architecting & managing Spire (Spiffe) and Service Mesh services.
• Intermediate level proficiency in Python or Go, and Bash scripting.
• Intermediate level experience in building & maintaining Web Application Firewalls.
• Intermediate level familiarity with security frameworks (e.g., PCI DSS, CIS, ISO 27001, NIST CSF).

• Intermediate level experience in architecting & implementing internal PKI & Secrets Management services.
• Intermediate level knowledge of Kubernetes (K8s) Security foundations, including admission controllers, K8s Network Policies, K8s RBAC, and K8s Ingress architectures.
• Intermediate level proficiency in DDoS mitigation techniques using AWS Shield, CDN traffic scrubbing, and origin…