Principal Product Security Engineer

About The Position

Requirements

• Bachelor’s degree (B.A./B.S.) or equivalent in computer science or technical equivalent discipline from an accredited college or university required.
• 8+ years of experience in IT required.
• 5+ years of experience in an information security role or experience with security and development teams.
• Knowledge of information security regulatory requirements for privacy, secure by design, and defense in depth.
• Broad understanding of information security including ISO27002, NIST and other information security frameworks and regulations.
• Experience with Application/Product Security, Risk Assessment, Threat Models, Secure Architecture/Design, Security Scanning (SAST, DAST, SCA, cloud security configuration scanning).
• Experience with cloud solutions such as Azure and AWS.
• Experience with security policy, procedures, tools, services, and cloud security models.
• Demonstrated ability to plan, design, develop, deploy, and maintain application security best practices.
• Ability to assume high levels of responsibility and to work with a minimum of day-to-day supervision.
• Ability to cooperatively and effectively work with people from all organizational levels and build consensus through negotiation and diplomacy.

Nice To Haves

• Preferable exposure to the following: IEC 62443-4-1, IEC 62443-4-2, NIST 800-53, ISO 27001, ISO 27002, Cloud Security Alliance (CSA), Cybersecurity and Infrastructure Security Agency (CISA), SANS, OWASP, CWE 25, ethical hacking, and AI Security best practices.
• Desired domain knowledge and/or certification: CISSP, CISA, CCSP, CSSLP, CEH, SANS GIAC, security certification from AWS or Azure.
• Desired knowledge of the following Technologies: Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA).
• Experience with Application Security Best Practices such as web security, cloud security, pen testing, fuzz testing, security coding guidelines, security architecture/design principles, CVSS, STRIDE, DREAD.
• Experience with Application development technologies, processes, and best practices. For example: Agile, RUP, CICD, DevSecOps.

Responsibilities

• Supporting the design, implementation, and oversight of Product Secure Development Lifecycle, including security requirements, secure architecture/design, risk assessment, threat models, security scanning, triage and vulnerability management, and product security validation/verification.
• Administering product security practices to product teams, technology, and security champions across the organization.
• Driving Product Security efforts to resolve challenges, enable automation, and impact organization security culture.
• Monitoring information security best practices, standards, regulations, industry threats and risks for improvements to product security practices.
• Maintaining a deep understanding of current issues in the realm of information security.
• Subscribing to major industry newsgroups and mailing lists and assessing the impact of all emerging issues on systems and practices at Aspen Technology.
• Monitoring security bulletins and alerts from all Aspen Technology’s information system vendors.
• Evaluating vulnerability impact and formulating and executing risk mitigation plans for product security.
• Providing expert analysis of security customer reported security incidents as a member of the AspenTech Security Emergency Response Team (ASERT).
• Working with information resource owners during and after security incidents; working with product teams for analysis; recommending best practices and solutions.
• Working with product teams, technology teams, client support and customer contacts.
• Performing tasks that cannot be done during business hours, occasionally requiring after-hours and weekend work.

Benefits

• paid time off
• charitable giveback day
• medical/dental/vision insurance
• retirement benefits