Job description

Company offers the most-trusted app building platform for anyone looking for a better way to work. Company gives businesspeople and IT experts the ability to easily build and integrate apps to track, manage, and automate processes in days, not weeks. Our customers make lasting and substantial improvements to their business using Company’s bullet-proof cloud-based technology — and they love getting the industry’s best customer experience every step of the way.

We are looking for an experienced Sr. Application Security Engineer to help us build our application security program.

As the Sr. AppSec Engineer, you lead efforts to shift-left and “make security easy” for the Engineering teams. You provide clarity, drive accountability, and push for continuous improvement as we build security into our applications and services.

The Sr. Application Security Engineer reports to the Director, Information Security. The position is fully remote with occasional travel to corporate HQ in Denver, CO.

Responsibilities

AppSec Leadership:

• Lead efforts to further define and improve our application security strategy and secure SDLC processes.
• Serve as a subject matter expert for secure coding practices, application pen testing, mobile platform security, and other aspects of application and product security.
• Demonstrate and train others in secure coding practices and threat modeling.
• Mentor and guide Security Champions embedded throughout the Engineering teams.
• Lead efforts to define and implement a Responsible Disclosure program

Engineering Partnership:

• Collaborate with Engineering to automate security testing in our CI/CD pipelines.
• Collaborate with Engineering to confirm vulnerability findings. Leverage proof-of-concept exploit code to gauge our exposure.
• Partner with Engineering and Product teams to prioritize security issues relative to vulnerability criticality and business goals.
• Partner with Engineering to perform application security design reviews and code audits.
• Collaborate with Engineering to drive attainment of shared product vulnerability metrics.

Continuous Education:

• Maintain awareness of emerging mobile and web application vulnerabilities.
• Maintain awareness of emerging practices in software engineering, DevOps, and application security.
• Maintain technical expertise, certifications, and industry credentials through training, conferences, and professional organization membership

Qualifications:

• Must have 4+ years of experience in application security.
• Strong people skills and experience collaborating with developers and Engineering leadership to promote secure SDLC.
• Strong foundations in software engineering.
• Ability to articulate and show application vulnerabilities, exploitation techniques, and prevention concepts.
• Experience with SAST, DAST, SCA, fuzzers, and related application security tools
• Experience with open source or commercial webapp pen testing tools
• Development experience with the following languages and/or frameworks: NodeJS, JavaScript, Java, React, Swift, Kotlin, and Python.
• Effective cross-functional communication. Comfortably switches context between red, blue, and engineering team perspectives.
• Strong sense of personal accountability and commitment to team success.

Education

• B.S. or M.S. in Computer Science or related field.
• AppSec or pen-test certification such as OSCP, OSWA, GWEB, GCPN or other relevant certification is a plus.

Differentiators

• Experience with software assurance maturity models, e.g., OWASP SAMM
• Experience with containers and Kubernetes
• Experience with GitLab

Salary & Benefits

• We cover 100% medical, dental, and vision benefits
• We understand you have a life outside of work and have an unlimited, flexible time-off policy
• We provide competitive paid parental leave for all new parents after 6 months