Staff Product Security Engineer

We are now looking for a Staff Product Security Engineer who will be responsible for providing security guidance in cloud security and web application software design and development (AppSec); identifying, analyzing, communicating, and owning the remediation of product risks; and building automation that supports these goals.

Reporting directly to the Head of Product Security, you will use a DevSecOps model and partner with embedded Security Champions to review architectures and to remediate security testing findings across the S-SDLC.  The Product Security department  owns all security tools, IAST, DAST, SAST, and tracks security finding remediation by Engineering using an Application Security Posture Management platform called Armorcode.  The Staff Product Security Engineer reviews product requirements and performs risk assessments on planned cloud infrastructure/application changes. This role requires a highly collaborative approach paired with excellent communication skills to balance trade-offs, push back, and perform negotiation to get things done.  This is where you come in...

Over the past years, you have developed a broad range of security-related skills, gained exposure to diverse application security frameworks, web application vulnerabilities, software security architecture, security threat modeling, software security testing tools, and methodologies while preferably have SaaS product security experience. You come from a software engineering educational background or have relevant experience. A strong background in cybersecurity and have done SANS training, or have certifications such as AWS Certified Security Specialist,  CSSP, GWAPT, GPEN, GSEC. Hands-on experience working with Amazon Web Services (AWS) is a must.  Experience with Terraform, Ruby on Rails, or Go programming or any programming/ scripting language is preferred. You keep up to date with web application security concepts (OWASP top 10 for example), AWS security best practices, have a working knowledge of securing containerized, serverless environments: EKS, Kubernetes, Lamdba. You have 2 years of web application security experience -- you have spent time participating in bug bounty, ethical hacking, or contributing to other security related research activities. You are highly collaborative to bridge the gaps between Engineering, Product, Security and the rest of the business to create a secure and stable network. You can balance between builder & breaker. Curiosity, patience, proactiveness & a learner's mindset are at the core of your approach to reducing the threat landscape.