Dropbox Engineering Career Framework
Security Engineer: Appendix


We’re striving to use clear language, but there are a few words where it’s helpful to expound upon how we interpret them.

Craft Responsibility Definitions

The responsibilities defined below make up the foundation of the Security Engineer craft:
  • Security Execution: The ability to understand and effectively implement, test, and operate security controls (loosely defined as technologies and processes specific to security or used to implement a security requirement) across multiple aspects of information security principles, tools, and methods. Using this ability to solve the security problems Dropbox faces, such as incident response, penetration testing, reviewing or creating security architectures and designs, writing software which plays a security function, risk assessment, advocacy, teaching, among others. Mastery of one or more security domains defined as:
  • Access Control Systems and Methodology
  • Telecommunications and Network Security
  • Business Continuity Planning and Disaster Recovery Planning
  • Security Management Practices
  • Security Architecture and Models
  • Law, Investigation, and Ethics
  • Application and Systems Development Security
  • Cryptography
  • Computer Operations Security
  • Physical Security
  • As an optional addition, mastery of one or more adjacent domain:
  • Code Fluency & Software Design
  • Technology Fluency: Understanding of the technologies used by Dropbox and the security implications of those. Ability to deconstruct (reveal the basis to expose inconsistencies) and simplify problems. Does not necessarily include building or producing code but meets a technical bar for competency in, for instance, threat modeling and reviewing code for security deficiencies.
  • Influences design or implementation choices and engineering teams in areas such as application, networking, OS, Cloud, or specific platforms, data analysis and processing, and software development.
  • Ability to communicate risks, priorities, and the reasoning behind those decisions to partners, peers, and customers.  Effectively sharing knowledge and expertise with others in the course of doing security work, contributing to the growth of the security organization. This may be done in a variety of ways such as mentoring, writing documentation, or giving talks.
  • Threat Fluency: Understanding and experience with relevant threats and the corresponding attack patterns, techniques, mindset, and types of vulnerabilities that an attacker may exploit and how we introduce them, and defense techniques to mitigate them.