Key skills
Application securityProduct securityDevSecOpsThreat modelingSecurity architecture reviewsMobile security iOSMobile security AndroidCloud security AWSCloud security GCPBackend security JavaBackend security PythonBackend security PHPAI/ML securityPrompt pipelinesRAG architecturesModel access controlsAgentic workflowsASPM platformsSASTSCASecret scanningContainer securityCI/CD security integrationOWASP Top 10OWASP LLM Top 10Secure-by-design principlesVulnerability managementSecurity-as-codeCISSPOSCPGWAPTPythonJavaPHPAIMLLLMRAGAgenticAWSGCPiOSAndroidCI/CDLeadershipCommunicationOWASP
About this role
Life360 is a company focused on keeping families connected through their mobile app and tracking devices. They are seeking a Senior Product Security Engineer to engage as a security partner across product and platform teams, conducting design reviews, managing vulnerabilities, and ensuring secure development practices in an AI-native environment.
Responsibilities:
- Conduct security architecture reviews across mobile (iOS/Android), backend (Java, Python, PHP), data pipelines, and third-party integrations. You're the security partner teams come to during design, not after
- Translate threat models and security requirements into pragmatic guidance engineers can act on
- Build trusted relationships with product and platform engineering teams
- Further operationalize and tune ASPM tooling (Cycode) to unify SAST, SCA, secret scanning, and container security into actionable signal, not noise
- Build security-as-code patterns and pre-approved libraries that make the secure path the default path
- Automate vulnerability triage, deduplication, and routing so the team spends time on judgment, not toil
- Drive SLA-based remediation workflows with clear severity definitions, ownership, and escalation paths
- Build metrics that translate security posture into language engineering leadership and executives can use
- Partner on design reviews for AI-powered features: model access controls, data boundary enforcement, and retrieval system authorization
- Contribute to securing agent workflows, MCP integrations, and shared AI tooling as adoption scales across engineering
- Work with Privacy, Legal, and Data Platform on controls for sensitive data: real-time location, family relationships, and data involving minors
Requirements:
- 5+ years in application security, product security, or DevSecOps with a track record of shipping controls that earn adoption, not just approval
- Hands-on builder. You define secure patterns, write code, and deliver tooling that holds up in production. You're a practitioner, not just an advisor
- Experience conducting threat models and security architecture reviews across mobile (iOS/Android), cloud (AWS/GCP), and backend services (Java, Python, PHP). You catch design flaws that automated tools miss
- Practical experience securing AI/ML systems. You've worked with prompt pipelines, RAG architectures, model access controls, or agentic workflows and understand the trust, authorization, and data boundary problems they introduce
- Working knowledge of ASPM platforms and security tooling: SAST, SCA, secret scanning, container scanning. You've tuned these to produce signal, not noise
- Familiarity with CI/CD security integration. You've built security into pipelines without breaking developer velocity
- Solid grounding in secure development practices: OWASP Top 10, OWASP LLM Top 10, secure-by-design principles, and practical remediation guidance
- Comfort with ambiguity. You're energized by first-draft standards, testing approaches, and scaling what works rather than waiting for a playbook
- Strong cross-functional communication. You carry risk, tradeoffs, and technical decisions across engineering, product, and leadership without losing precision. You can reshape a risky decision clearly and constructively
- Experience with multi-agent orchestration frameworks and their identity and authorization challenges
- Background in consumer technology or privacy-sensitive domains where personal data is a core product obligation, not just a legal checkbox
- Experience securing location-based services or products involving data from minors
- CISSP, OSCP, GWAPT, or similar certifications
- Contributions to open-source security tools, public research, or conference speaking