Sr. Product Security Engineer

YipitData

2d•$215,000 - $230,000•Remote

About The Position

We are seeking a Sr. Product Security Engineer to manage the day-to-day execution of the organization's vulnerability management program and provide hands-on support for secure software development lifecycle (SSDLC) and CI/CD security initiatives. This role works closely with the DevSecOps Lead, Engineering, Platform Team, and Security to ensure vulnerabilities are tracked from discovery through remediation, security controls are functioning as intended, and findings are reported with clear accountability. The Security Operations Engineer translates security requirements into operational workflows, managing intake queues, enforcing SLAs, coordinating remediation with engineering teams, and producing the dashboards and reports that give leadership visibility into security posture. This is a remote-friendly opportunity that can sit in NYC (where our headquarter is located), one of our office hubs in Austin, Miami, Los Angeles (CA), and Cupertino (CA), or anywhere else in the US. However, depending upon where the remote work is performed, income could be subject to New York State tax withholding. We expect U.S. based working hours with the majority of the team working East and Central Time Zones.

Requirements

3–6 years of experience in security operations, vulnerability management, application security, DevSecOps, or a related security engineering role.
Hands-on experience with vulnerability management workflows — intake, triage, assignment, remediation tracking, and reporting.
Working knowledge of common scanning tools and finding types, including dependency scanning (SCA), secrets scanning, IaC scanning, container scanning, and/or SAST/DAST.
Familiarity with Git-based workflows, CI/CD systems, and cloud-native development environments.
Experience producing security metrics, dashboards, and reports for technical and leadership audiences.
Strong organizational and follow-through skills — ability to track many findings across multiple teams and drive them to resolution.
Clear written and verbal communication skills with the ability to coordinate across engineering, security, and business teams.

Nice To Haves

Experience with vulnerability aggregation platforms or security finding management tools.
Familiarity with GitHub Enterprise, GitHub Actions, or similar CI/CD platforms.
Experience supporting SOC 2 or similar audit and compliance requirements, particularly around vulnerability management evidence.
Exposure to ticketing system integrations (e.g., Jira) for vulnerability assignment and tracking workflows.
Familiarity with supply chain security concepts including SBOMs, image signing, and artifact integrity.
Relevant Certifications (preferred, not required): GSEC, Certified DevSecOps Professional (CDP), CISSP, CSSLP, or SSCP

Responsibilities

Own the end-to-end vulnerability lifecycle: intake, triage, assignment, remediation coordination, verification, and closure across all finding sources (dependency scanning, secrets scanning, IaC scanning, container scanning, SAST, DAST, and manual assessments).
Enforce severity-based SLAs, escalation paths, and ownership expectations. Track remediation timelines and follow up with engineering teams to ensure findings are resolved within policy requirements.
Aggregate findings centrally from all scanning tools and sources into a unified tracking system. Ensure every finding has a clear owner, status, and target remediation date.
Manage exception and risk acceptance workflows. Process exception requests, document compensating controls, and ensure approvals are captured with appropriate evidence.
Produce vulnerability posture reports and dashboards, including aging analysis, SLA compliance, scanner coverage, and trend reporting by severity, team, and business unit.
Coordinate with engineering teams on remediation prioritization, providing context on severity, exploitability, and business impact to support informed decision-making.
Drive reduction of aging findings through proactive follow-up, workflow automation, and escalation when remediation stalls.
Assist the DevSecOps Lead with implementation of baseline security controls such as branch protection, admin enforcement, pull request requirements, review approvals, code owners, secrets scanning, SCA, IaC scanning, and container image scanning.
Help integrate controls into repositories, CI/CD pipelines, registries, and deployment workflows as directed by the DevSecOps Lead and Platform Team.
Validate that controls are functioning as intended, producing actionable findings, and are difficult to bypass. Report gaps or misconfigurations to the DevSecOps Lead.
Assist with onboarding new teams to the secure pipeline by providing hands-on support, troubleshooting, and guidance based on approved templates and reference implementations.
Support the DevSecOps Lead in maintaining and socializing the Secure Software Development Lifecycle policy and implementation guide.
Help maintain templates, configuration standards, and setup guidance for teams adopting SSDLC controls.
Assist with reference repository maintenance, ensuring it stays current with approved Phase 1 controls and serves as useful onboarding documentation.
Participate in office hours, reviews, and implementation support sessions to help business units adopt secure development practices.
Own vulnerability management metrics and reporting, including finding counts by severity, aging, SLA compliance, remediation rates, and scanner coverage.
Contribute to broader security metrics such as control coverage, adoption rates, and exception tracking as directed by the DevSecOps Lead.
Prepare audit-ready evidence related to vulnerability management — demonstrating that findings are tracked, SLAs are enforced, and remediation is verified.
Support the DevSecOps Lead in preparing leadership updates, compliance evidence, and cross-functional communications.