Principal Application Security Engineer

Principal Application Security Engineer

Summary

Are you passionate about securing global-scale ecommerce services and applications that power millions of customers across over a hundred countries around the globe? We are looking for a hands-on Principal Product Security Engineer to lead our Secure Development Lifecycle assurance processes, our security automation technologies, drive the security hardening strategy across our product and respond to current and emerging security threats. This role can be fully remote and must reside in US.

Responsibilities

• Lead cross-functional projects and establish cutting-edge security development lifecycle practices
• Directed security design reviews and threat modeling for new and existing services at iHerb
• Evaluate, prototype, implement, and operate security-focused tools and services
• Create new secure architecture standards, frameworks and patterns spanning multiple layers
• Discover and analyze emerging security threats, determining applicability to iHerb and proactively implement centralized mitigations
• Evaluate, prototype, implement, and operate security tools and services (DAST, SAST, SCA...)
• Maintain a strong knowledge of current security threats and operational best practices
• Drive our security assessment, penetration testing and bug bounty programs
• Participate in security incident response

Requirements

• Demonstrated technical foundation (Computer Science / Engineering degree or equivalent experience) with an innate ability to translate technical vulnerabilities into organizational risks
• 8+ years of technical security leadership at a top-tier software company including experience with security products, threat modeling, security design, security architecture, cryptography, mobile security, and broader cloud computing technologies
• Solid understanding of common application and infrastructure security vulnerabilities and mitigations (OWASP Top 10, CWE 25…)
• Proficiency implementing SDL process, technology, and automation in a DevOps environment
• Experience with large-scale web applications and microservices, including API design