Staff Product Security Engineer (SDLC) | 29872

Engineering, Infrastructure and Operations Santa Clara, California San Diego, California Chicago, IL



Work matters. It’s where we spend a third of our lives. And the workplace of the future is going to be a great place. We’re dedicated to bringing that to life for people everywhere. That’s why we put people at the heart of everything we do.

People matter. Our people have a passion for learning, building, and innovating. Whether you’re an engineer, a sales professional, a finance professional, or anything in-between, our roles aim to provide each person with meaningful impact and plenty of space to grow.


Product Security is working at Shifting Left, allowing engineering teams and the company to be proactive with simplified integrated security testing.  This paradigm shift benefits developers and ServiceNow by codifying security activities at scale into their build pipelines ensuring toolchains are easily automated with continuous monitoring and feedback.


As an engineer on the ServiceNow Offensive Security Team, you will be responsible in identifying security vulnerabilities within our platform. You will work with internal development teams to review source code and pentest custom functionality built on top of the ServiceNow platform. In this role, you will also be responsible for interacting with customers that perform security assessments against their ServiceNow instance. You will have the opportunity to assess security of 3rd party vendor applications, plan projects, and be a security advocate. A key part of this position is to effectively report issues to the application owners, provide meaningful remediation recommendations, and validate that they have been resolved.

What you get to do in this role:

  • Perform software auditing services to internal teams to discover, communicate, and recommend remediation activities for software vulnerabilities.
  • Provide architecture design input, evaluate threats and document risk
  • Proactively research new attack vectors that may affect ServiceNow.
  • Research and implement automated code security quality gates in a CI/CD lifecycle
  • Research security topics which are a risk to ServiceNow
  • Be an advocate for security for development teams and participate in a security champions program
  • Work with third-party vendors on security testing

In order to be successful in this role, we need someone who has:

  • 7-10+ years prior experience securing enterprise products.
  • Prior experience building a secure software development life cycle.
  • Developer level proficiency in Java and JavaScript.
  • Previously managed a bug bounty or responsible disclosure program.
  • Strong understanding of web and mobile application security assessment techniques.
  • Ability to articulate complex issues to executives and customers.
  • Experience working with the ServiceNow Platform a plus.
  • Security certifications a plus.

Will be working in a Federal environment requiring US Citizenship or US Permanent Resident with 3 years of residency. Must be eligible for a US security clearance.

ServiceNow is an Equal Employment Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, national origin, age, disability, gender identity, or veteran status. If you are an individual with a disability and require a reasonable accommodation to complete any part of the application process, or are limited in the ability or unable to access or use this online application process and need an alternative method for applying, you may contact us at for assistance.