Security Engineer

The Senior Product Security Engineer will be responsible for supporting the development of a secure SaaS product on the AWS cloud. They will focus on building a comprehensive security program, including the implementation of a well-rounded SSDLC program with automation of controls in mind. This role will collaborate with the engineering and product management teams to develop secure software testing procedures, define security requirements for product design and engineering specifications, and translate security requirements into application design elements. Additionally, the Senior Product Security Engineer will work on maturing SAST/DAST tooling and engineering guardrail solutions to prevent security incidents and defects.

• Develop secure software testing and validation procedures
• Build security requirements for the product design specifications
• Build security requirements for the engineering specifications
• Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria
• Mature SAST/DAST tooling with the DevSecOps engineers
• Engineer guardrail solutions for the SaaS product and its operations that prevents security incidents and security defects

• Bachelor's degree required/preferred; or equivalent education and/or related work experience.
• Minimum 5 years of Application/Product Security Engineering experience.
• Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list).
• Knowledge of computer programming principles.
• Knowledge of cybersecurity and privacy principles and methods that apply to software development.
• Knowledge of Personally Identifiable Information (PII) data security standards.
• Knowledge of Personal Health Information (PHI) data security standards.
• Knowledge of programming language structures and logic.
• Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• Knowledge of software debugging principles.
• Knowledge of software design tools, methods, and techniques.
• Knowledge of software development models (e.g., Waterfall Model, Spiral Model, Agile, etc.).
• Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.
• Knowledge of web services (e.g., service-oriented architecture, Simple Object Access Protocol, and web service description language).

• Opportunity to build a comprehensive security program with other SMEs as peers
• Work with the engineering team and product management team
• Develop secure software testing and validation procedures
• Build security requirements for product design specifications
• Build security requirements for engineering specifications
• Translate security requirements into application design elements
• Mature SAST/DAST tooling with DevSecOps engineers
• Engineer guardrail solutions for the SaaS product and its operations
• Minimum 5 years of Application/Product Security Engineering experience
• Knowledge of Application Security Risks
• Knowledge of computer programming principles
• Knowledge of cybersecurity and privacy principles and methods
• Knowledge of Personally Identifiable Information (PII) data security standards
• Knowledge of Personal Health Information (PHI) data security standards
• Knowledge of programming language structures and logic
• Knowledge of system and application security threats and vulnerabilities
• Knowledge of software debugging principles
• Knowledge of software design tools, methods, and techniques
• Knowledge of software development models
• Knowledge of system design tools, methods, and techniques
• Knowledge of web services
• Knowledge of interpreted and compiled computer languages
• Knowledge of secure coding techniques
• Knowledge of secure software deployment methodologies, tools, and practices
• Knowledge of penetration testing principles, tools, and techniques
• Skill in developing and applying security system access controls
• Skill in applying cybersecurity and privacy principles to organizational requirements
• Skill in using code analysis tools
• Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems
• Skill in secure test plan design