Skip to content
Remote Co Logo
  • Remote
    JOBS
  • Remote
    COMPANIES
  • Remote Work
    RESOURCES
    • Remote Work Articles
    • Remote Worker Q&A
  • Get Started
  • Log In
  • Home
  • Remote Jobs
  • Principal Product Security Engineer
remote-co-logo

Principal Product Security Engineer

Hard Rock Digital

ApplySave Job
  • Date Posted

    Today

    New!
  • Remote Work Level

    100% Remote

  • Location

    Remote in FL

  • Job Schedule

    Full-Time

  • Salary

    We're sorry, the employer did not include salary information for this job.

  • Benefits

    Flexible/Unlimited PTO Paid Vacation

  • Categories

    Cyber Security,  Tech Support,  Video Game,  Ecommerce,  Product Manager,  Project Manager,  Software Engineer

  • Job Type

    Employee

  • Career Level

    Experienced

  • Travel Required

    No Specification

  • Education Level

    Professional Certification

About the Role

Principal Product Security Engineer

  • Remote
    • United States, Florida, United States
  • Technology

What are we building?

Hard Rock Digital is a team focused on becoming the best online sportsbook, casino, and social gaming company in the world. We’re building a team that resonates passion for learning, operating, and building new products and technologies for millions of consumers. We care about each customer interaction, experience, behavior, and insight and strive to ensure we’re always acting authentically.

Rooted in the kindred spirits of Hard Rock and the Seminole Tribe of Florida, Hard Rock Digital taps a brand known the world over as the leader in gaming, entertainment, and hospitality. We’re taking that foundation of success and bringing it to the digital space - ready to join us?

 

What's the Position?

We're looking for a Principal Product Security Engineer to own the security of Hard Rock Bet — our sportsbook and casino — from the first line of code to production: how we design and build secure software, and how we find, prioritize, and close vulnerabilities once they exist. Full-lifecycle ownership, not a narrow slice of the pipeline — real autonomy, real accountability for outcomes.

You'll be one of three Principal Engineers — Product Security, Identity, and Cloud & Network Security — hired as direct reports to our VP Security / CISO, inside a 16-person security organization. It's a highly regulated, highly targeted business — player data, real-money transactions, wagering integrity — your work directly protects players and our license to operate.

If you like owning a problem end to end and making the secure path the fast path to production, this role is built for you.

 

What You'll Do

Secure SDLC & DevSecOps

  • Embed automated checks across our cloud (GitHub Actions) and on-prem product pipelines — GitHub Advanced Security (SAST/SCA) and Wiz Code for application, dependency, and container scanning

  • Define secure-by-default patterns, paved-road guardrails, and standards for secure coding, code review, and dependency hygiene — so teams ship quickly and safely

  • Serve as the application authority for our Zero Trust program, aligned to NIST SP 800-207 and the CISA Zero Trust Maturity Model (Applications & Workloads pillar)

Threat Modeling & Secure Design

  • Partner with product and engineering on security reviews for new features and payment integrations — running threat modeling (e.g., STRIDE) early in design and turning output into concrete, prioritized work

Vulnerability Management (End to End)

  • Own the product and application vulnerability lifecycle — one program spanning code, dependency, container, pen-test, and bug-bounty findings, from discovery through remediation

  • Prioritize by real-world risk and drive remediation against risk-based SLAs; engineering owns the fixes, you own the program and the escalation paths that shrink time to remediate

  • Report program health with metrics leadership can act on, and provide evidence for compliance obligations (PCI DSS, GLI, ISO 27001, SOC 2)

  • Where this role ends: our Principal Cloud & Network Security Engineer owns cloud misconfiguration and runtime posture; you own the application layer — code, dependencies, and containers — on one shared prioritization model

Application & API Security

  • Defend our applications and APIs against the OWASP Top 10 and API abuse, partner on payment security across our payment gateways, and team with our Principal Cloud & Network Security Engineer — who owns our Cloudflare edge defenses (WAF, Bot Management) — on bot and abuse resilience

  • Own the application security of player-facing account flows — registration, authentication, session management, recovery — partnering with our Principal Identity Engineer on CIAM architecture and with SecOps and Fraud on account-takeover resilience

Testing & External Assurance

  • Coordinate penetration testing with external partners and drive findings to closure

  • Mature our existing coordinated-disclosure program into a full bug-bounty capability

  • This is a big charter by design — year one is about sequencing, not doing it all at once. You'll set priorities with the CISO; with GitHub Advanced Security, Wiz, and Cloudflare already live, you're building a program, not standing up scanners from zero.

Job requirements

What are we looking for?

  • 10+ years in application or product security — or equivalent practical experience

  • Deep expertise across the AppSec toolchain: SAST, SCA, and secure code review

  • Strong command of the vulnerability management lifecycle: triage, prioritization, remediation tracking, metrics

  • Hands-on threat modeling and secure-design partnership with engineering teams

  • Working knowledge of a modern programming language and how real applications are built and deployed

  • Experience with CI/CD pipelines and cloud-native application security (our products run primarily on AWS)

  • Excellent communication — you turn a finding into a clear, prioritized ask

  • Fluency with AI — you lead with it, reaching for AI tools daily to work faster and sharper; hands-on experience applying AI to security or engineering work is a must

You don't need to tick every box. If you're deep in AppSec but still building the vulnerability-management program muscle — or the reverse — we want to hear from you.

 

Bonus Points

  • Experience in a regulated industry (gaming, financial services, healthcare) — especially payments/PCI DSS or gaming standards (GLI-19, GLI-33)

  • Experience running or maturing a bug-bounty or responsible-disclosure program

  • DAST or API security testing experience — you'll help decide where it fits our stack

  • Relevant certifications (e.g., OSCP, GWAPT, CSSLP, CISSP)

     

Who You Are

  • An end-to-end owner — as comfortable in a design review as chasing a CVE to closure

  • A developer's ally — you make secure the easy choice rather than the slow one

  • Fiercely focused — detail-oriented about risk, pragmatic about what to fix first

  • Deeply curious — you dig past the obvious answer and keep learning as the attack surface shifts

  • Customer obsessed — motivated by protecting real players and real money at scale

 

Why This Role Is Different

You'll own the full arc of product security — not filing findings for someone else to prioritize while another team chases remediation. You set priorities, see the consequences of your own calls, and build a program that fits how our engineering teams actually work — reporting directly to our VP Security / CISO. A principal seat, not a function buried three layers down.

This is one of three Principal openings reporting to our VP Security / CISO: Identity (who and what gets access), Cloud & Network Security (where workloads run and how traffic moves), and Product Security (the code and its vulnerabilities). Apply to the one that sounds like your Tuesday.

 

What’s in it for you?

We offer our employees more than just competitive compensation. Our team benefits include:

  • Competitive pay and benefits

  • Flexible vacation allowance

  • A hybrid / remote working environment

  • Startup culture backed by a secure, global brand

 
 
 
Apply

FAQs About Principal Product Security Engineer Jobs at Hard Rock Digital

This job offers 100% Remote Work.
Full-Time
Yes, the benefits include Flexible/Unlimited PTO and Paid Vacation.
This job posting doesn't provide any salary details at the moment.
Cyber Security, Tech Support, Video Game, Ecommerce, Product Manager, Project Manager, Software Engineer
You can apply directly using the apply button given on the page.
Residents of FL or United States
The work location for this position will be FL
Experienced
The required education level for this role is Professional Certification

Meet Remote.co

  • About & Contact
  • CCPA/GDPR
  • Do Not Sell or Share My Personal Information
  • Fraud Awareness
  • Press & Media
  • Sitemap

Remote Work Q&A

  • All Remote Companies
  • Why Remote
  • Hiring Remotely
  • Managing Remotely
  • Working Remotely
  • Remote Worker Insights
  • All Remote Workers

Remote Work Articles

  • All Articles
  • Why Go Remote
  • Build a Remote Team
  • Remote Management
  • Work Remotely

Remote Jobs

  • Find Remote Jobs
  • Remote Accounting Jobs
  • Remote Account Manager Jobs
  • Remote Bookkeeping Jobs
  • Remote Customer Service Jobs
  • Online Data Entry Jobs
  • Remote Data Science Jobs
  • Remote Design Jobs
  • Remote Developer Jobs
  • Online Editing Jobs
  • Remote Healthcare Jobs
  • Remote IT Jobs
  • Remote Marketing Jobs
  • Remote Medical Coding Jobs
  • Remote Nursing Jobs
  • Remote Legal Jobs

More Remote Jobs

  • Remote Operations Jobs
  • Remote Product Manager Jobs
  • Remote Project Manager Jobs
  • Remote QA Jobs
  • Remote Recruiter Jobs
  • Remote Sales Jobs
  • Remote Social Media Jobs
  • Online Teaching Jobs
  • Virtual Assistant Jobs
  • Remote Writing Jobs
  • Entry-Level Remote Jobs
  • Online Freelance Jobs
  • International Remote Jobs
  • Part-Time Remote Jobs
© 2015 - 2026 Remote.co | TOS | Privacy Policy | Manage Cookies | Accessibility
Next App