A Little About Us
When you impact millions of people every day, you become a large target for adversaries of all types within all layers of the stack. Our job is to keep our users safe and make Yahoo one of the safest places on the Internet. We are the information security team at Yahoo; known as "The Paranoids".
Product Security (ProdSec) is a fast-moving, globally distributed team of security builders with diverse perspectives and strong technical opinions. We work closely with business units across Yahoo, partnering deeply with engineering to drive secure-by-design practices at scale. Our culture values ownership and hands-on leadership—principals set direction, influence broadly, and help shape how secure products are built across the company.
A Lot About You
The Paranoids are looking for a New York-based Principal Product Security Engineer, who will partner with engineering to shape how secure products are built at scale. You will guide product developers in crafting products to be robust against misuse and abuse - with the lowest friction possible. We're a 100% Agile enterprise working in the latest UI, browser, backend, cloud, and GenAI/ML technologies. You'll also imagine and realize creative ways to help our developers do the right things by default and catch themselves early when they miss.
What a successful candidate will bring to this position
Minimum Requirements
Location Preference: NYC area - Hybrid work environment
10+ years of experience in application or product security, with a track record of securing desktop and mobile applications.
Strong understanding of secure architecture for thick clients, including local storage protection, inter-process communication, JavaScript engines, OS-level security features, and web security standards (CSP, same-origin policy, TLS/HTTPS).
Experience with mobile (iOS/Android) and desktop (Windows/macOS/Linux) application security models.
Proficiency in GenAI security, modern cryptography, certificate management, secure authentication (OAuth, WebAuthn, FIDO2), and secure session handling.
Knowledge of OS-level hardening techniques, sandboxing, privilege separation, and secure use of platform APIs.
Hands-on experience with secure coding practices in at least one systems language (C++, Rust, Go) and one application language (Kotlin, Swift, C#).
Familiarity with static/dynamic analysis tools, fuzzing, penetration testing, and reverse engineering for client applications.
Experience embedding security into the software development lifecycle (threat modeling, code reviews, secure design patterns).
Ability to manage incident response and vulnerability remediation for thick client environments.
Strong cross-team communication skills and ability to write clear developer-facing security guidelines.
Bachelor's Degree in a related field
Preferred
Contributions to open-source client frameworks, SDKs, or application security tools.
Prior work with secure local storage, anti-tampering, DRM, or obfuscation in client software.
Familiarity with offline-first application security challenges (sync, caching, data persistence).
Experience with privacy-preserving client design, including minimizing telemetry and preventing data leakage.
Deep understanding of reverse engineering techniques and defenses (e.g., code obfuscation, anti-debugging, integrity checks).
Experience leading security architecture for a thick client application launch at scale.
Advanced degree (MS/PhD) in Computer Science, Cybersecurity, or related field.
The material job duties and responsibilities of this role include those listed above as well as adhering to Yahoo policies; exercising sound judgment; working effectively, safely and inclusively with others; exhibiting trustworthiness and meeting expectations; and safeguarding business operations and brand integrity.
At Yahoo, we offer flexible hybrid work options that our employees love! While most roles don’t require regular office attendance, you may occasionally be asked to attend in-person events or team sessions. You’ll always get notice to make arrangements. Your recruiter will let you know if a specific job requires regular attendance at a Yahoo office or facility. If you have any questions about how this applies to the role, just ask the recruiter!
Yahoo is proud to be an equal opportunity workplace. All qualified applicants will receive consideration for employment without regard to, and will not be discriminated against based on age, race, gender, color, religion, national origin, sexual orientation, gender identity, veteran status, disability or any other protected category. Yahoo will consider for employment qualified applicants with criminal histories in a manner consistent with applicable law. Yahoo is dedicated to providing an accessible environment for all candidates during the application process and for employees during their employment. If you need accessibility assistance and/or a reasonable accommodation due to a disability, please submit a request via the Accommodation Request Form (www.yahooinc.com/careers/contact-us.html) or call +1.866.772.3182. Requests and calls received for non-disability related issues, such as following up on an application, will not receive a response.
We believe that a diverse and inclusive workplace strengthens Yahoo and deepens our relationships. When you support everyone to be their best selves, they spark discovery, innovation and creativity. Among other efforts, our 11 employee resource groups (ERGs) enhance a culture of belonging with programs, events and fellowship that help educate, support and create a workplace where all feel welcome.
The compensation for this position ranges from $143,625.00 - $299,375.00/yr and will vary depending on factors such as your location, skills and experience.The compensation package may also include incentive compensation opportunities in the form of discretionary annual bonus or commissions. Our comprehensive benefits include healthcare, a great 401k, backup childcare, education stipends and much (much) more.Currently work for Yahoo? Please apply on our internal career site.