Sr. Product Security Engineer

RDQ326R107

About The Team

The Product Security Team at Databricks is responsible for embedding security throughout the Software Development Lifecycle (SDLC). Our mission is to left-shift security—ensuring that all code, whether powering customer-facing features or supporting internal infrastructure, is developed with security in mind from the start. By reducing the likelihood of introducing vulnerabilities and minimizing the impact of externally reported issues, we safeguard Databricks' products and services at scale.

Role Overview

As a Product Security Engineer , you will play a key role in securing the features and infrastructure that power Databricks. You will partner closely with engineering teams across the organization to design secure systems, conduct security reviews, and enable scalable, repeatable secure development practices through automation, paved pathways, and guardrails.

You'll support the full spectrum of security within the SDLC—from architecture and threat modeling through secure coding, pentesting, and deployment. In addition, you will contribute to incident and vulnerability response efforts and help scale our security influence through tools, frameworks, and processes that support both engineers and compliance needs.

Responsibilities

• Partner with product and engineering teams to design secure systems, identify risks early, and guide the development of robust solutions
• Conduct comprehensive security reviews including threat modeling, design analysis, manual code reviews, and exploit development to validate potential weaknesses
• Design and build guardrails that prevent common security mistakes and ensure consistent, enforceable policies across services
• Develop and maintain paved pathways—secure-by-default development patterns, frameworks, and tools that enable engineering teams to build securely without friction
• Triage and analyze findings from Static Application Security Testing (SAST) tools, distinguishing false positives from genuine issues and performing variant analysis to identify similar vulnerabilities across the codebase.
• Operate and evolve Dynamic Application Security Testing (DAST) tooling and automation to support vulnerability detection and defect tracking
• Support incident response (IR) and vulnerability response (VRP) workflows as needed, partnering with internal teams to investigate and remediate security events
• Enhance internal security automation frameworks and integrations to meet evolving compliance and regulatory requirements (e.g., FedRAMP, PCI, HIPAA)
• Contribute to the continuous improvement of SDLC-integrated security processes, with a focus on risk-based prioritization, real-world impact, and the implementation of AI-assisted tooling to enhance efficiency, accuracy, and scalability.

What We Look For

About Databricks

Databricks is the data and AI company. More than 10,000 organizations worldwide — including Comcast, Condé Nast, Grammarly, and over 50% of the Fortune 500 — rely on the Databricks Data Intelligence Platform to unify and democratize data, analytics and AI. Databricks is headquartered in San Francisco, with offices around the globe and was founded by the original creators of Lakehouse, Apache Spark™, Delta Lake and MLflow. To learn more, follow Databricks on Twitter, LinkedIn and Facebook.

Benefits

At Databricks, we strive to provide comprehensive benefits and perks that meet the needs of all of our employees. For specific details on the benefits offered in your region, please visit https : / / www.mybenefitsnow.com / databricks.

Our Commitment to Diversity and Inclusion

At Databricks, we are committed to fostering a diverse and inclusive culture where everyone can excel. We take great care to ensure that our hiring practices are inclusive and meet equal employment opportunity standards. Individuals looking for employment at Databricks are considered without regard to age, color, disability, ethnicity, family or marital status, gender identity or expression, language, national origin, physical and mental ability, political affiliation, race, religion, sexual orientation, socio-economic status, veteran status, and other protected characteristics.

Compliance

If access to export-controlled technology or source code is required for performance of job duties, it is within Employer's discretion whether to apply for a U.S. government license for such positions, and Employer may decline to proceed with an applicant on this basis alone.

Skills Required

Security Assessments, threat modeling