Senior Engineer – Product Security
US Remote @The College Board posted 3 weeks ago in Software Engineering Shortlist Email JobJob Detail
-
Job ID 852
Job Description
In this role, you will:
Partner with Programs – Partnership Development (50%)
- Act as a liaison between product development teams (both within and outside of technology) and other information security teams via regular engagements with assigned partner teams.
- Embed into product team’s planning and grooming sessions.
- Develop deep understanding of CB’s security policies and guidelines, audit requirements (SOC2, ISO27002, PCI, PII) and GRC exceptions to support compliance and security work
- Create threat models and risk registers for your assigned products and communicate application risks and vulnerabilities to technical & nontechnical stakeholders.
- Lead application vulnerability reviews and remediation efforts through developing deep skill sets in understanding, managing and determining exploitability of vulnerabilities to properly determine risk and priority.
- Work to gain a deep understanding of your assigned products’ architectures, supply chain (vendors, partners, third party) development practices, CI/CD, GRC exceptions, and release cadence in order to understand and support mitigation of security risks.
Elevate Product Security (25%)
- Drive and lead efforts to promote, grow and enhance the Product Security Partners program to develop security champions and enable development teams to shift left.
- Lead development of innovative guidance and training sessions to improve secure SDLC skills and awareness and cultivate a culture of security
- Coach product teams and junior team members on performing secure reviews of application architectures and document and advertise new security patterns as needed.
- Innovate and stay current with industry trends to support continuous improvement of our Partner Program.
Drive Operations (25%)
- Drive implementing and operationalizing security tooling and common integrated development environments (AWS).
- Drive development of key metrics and KPI’s to measure product security impact and report on assigned partner teams security posture and maturity of practices.
- Participate in planning and grooming as part of agile ceremonies and manage assigned epics.
- Provide hands on expertise with CI/CD and build pipelines to further enhance quality and security gates; lead integration of automated solutions to increase security in CI/CD.
- Work with broader Information Security team on incident response and operational/strategic initiatives.
- Lead evaluation and improvement of new and existing security standards, tools, and solutions with a focus on automation and securing build pipelines for a shift left approach.
About You
You Have:
- 5-8 years of progressively responsible, directly related, hands on experience in application security or DevSecOps
- Strong hands-on knowledge of secure development practices, secure SDLC, DevSecOps, pen testing and threat modeling
- Solid experience with securing AWS services, AWS secure architectures, application security and cloud applications, including software supply chain and micro service architecture
- Must have a thorough understanding of web protocols TCP/IP, UDP, HTTP, HTTPS, SSL, TLS, DNS, etc.
- Hands on experience of reproducing and remediating common application vulnerabilities (OWASP/SANS) such as cross-site scripting (XSS), session hijacking, SQL injection, CSRF (Cross-Site Request Forgery), OWASP Top 10, and other attack vectors.
- Solid hands-on experience securing CI/CD, Node.js, React, Restful Api’s and common development frameworks (Angular, Bootstrap, Node, Struts, Spring, ASP.NET MVC, etc.)
- Experience with key development tools/systems (artifact management, version control, work tracking, secrets management, NPM, build and deployment tools, etc.)
- Authorization to work in the United States
Other jobs you may like
-
Principal Software Engineer, Full-stack
- @ onebrief
- Remote US | Salary: $215K – $265K