Principal Application Security Engineer

We are UMG, the Universal Music Group. We are the world’s leading music company. In everything we do, we are committed to artistry, innovation and entrepreneurship. We own and operate a broad array of businesses engaged in recorded music, music publishing, merchandising, and audiovisual content in more than 60 countries. We identify and develop recording artists and songwriters, and we produce, distribute and promote the most critically acclaimed and commercially successful music to delight and entertain fans around the world.
 

How you’ll LEAD:

Our team is looking for a Principal Application Security Engineer to lead the protection and defense of our digital applications and software ecosystem.  This role will focus on detecting, mitigating, and responding to application security threats, ensuring that our applications and services remain resilient against cyber threats.  In addition, they will focus on penetration and application security testing concentrating on pre-release, post-release, and 3rd party applications.

We take security very seriously, and protecting our customers is our highest priority. If you are a self-starter who is passionate about security and is excited to work in a highly collaborative environment alongside a diverse team of experts every day, this position is for you.

In addition to having strong technical skills, you must be comfortable in effectively communicating with business leadership, our software development community, technical IT teams, and business partners, all while being sensitive to a wide diversity of cultural and technical backgrounds in a global business environment.

How you’ll CREATE:

• Defend UMG applications by identifying and mitigating real-world attack vectors, including OWASP Top 10, API abuse, and software supply chain risks;
• Conduct analysis and testing to verify the strengths and weaknesses of applications in various environments, utilizing commercial and open-source tooling;
• Develop exploits based on assessments and/or ability to make modifications on existing exploits;
• Identify and clearly articulate (written and verbal) findings to stakeholders;
• Provide subject matter expertise with application security, advising the organization on best practices and emerging security threats;
• Strengthen API security by enforcing authentication, rate-limiting, and anomaly detection against abuse and fraud;
• Harden software supply chains by implementing SBOM standards, validating dependencies, and mitigating risks from 3rd party software;
• Integrate automated security defenses into the CI/CD pipeline, ensuring security testing is continuous and proactive;
• Assist in maturation of security champions program;
• Assist in development of company specific application security training content;
• Author best practices, guidelines, standards and policy; and
• Other duties as assigned.

Bring your VIBE:

• 8+ years of experience in Application Security, Product Security, or Security Engineering;
• Strong knowledge of application-layer attacks, including but not limited to: SQL injections, XSS, SSRF, RCE, and API abuse;
• Hands on experience with SAST, DAST, SCA, etc. tooling;
• Experience with secure software supply chain (SBOM, dependency scanning, artifact signing);
• Team player with the ability to both articulate thoughts and opinions but also listen and compromise; and,
• Experience with media streaming security, Digital Rights Management (DRM), and/or anti-piracy a plus.

#LI-remote

Perks Playlist:

• Be part of an entrepreneurial, global organization that values authenticity, drive, creativity, relationships, and a competitive spirit

• Comprehensive medical, dental, vision, and FSA options, as well as:

  • 100% coverage for out-patient mental health services

  • Wellbeing reimbursements for fitness classes, spa treatments, meal services, travel, and so much more (up to $720/year)

  • A lifetime fertility support allowance of $30,000 to plan participants

  • Student Loan Repayment Assistance and Tuition Reimbursement

  • 100% immediately vested 401(k) match on the first 5% of your contribution on eligible compensation

• Variety of ways to prioritize much-needed time away from work including:

  • Flexible Paid Time Off (PTO) for exempt employees

  • 3-weeks PTO for non-exempt employees

  • 2-weeks paid Winter Break

  • 10 Company Holidays (including Juneteenth and Wellbeing Day)

  • Summer Fridays (between Memorial Day and Labor Day)

  • Generous paid parental leave for every type of parent

Check out our full overview of benefits on the Perks Playlist page of the career site.

Disclaimer: This job description only provides an overview of job responsibilities that are subject to change.

Universal Music Group is an Equal Opportunity Employer

We are an E-Verify employer in Alabama, Arizona, Georgia, Mississippi, North Carolina, South Carolina, Tennessee, and Utah.

For more information, please click on the following links.

E-Verify Participation Poster: English / Spanish

E-Verify Right to Work Poster: English | Spanish

Job Category:

Salary Range:

The actual base salary offered depends on a variety of factors, which may include, as applicable, the qualifications of the individual applicant for the position, years of relevant experience, specific and unique skills, level of education attained, certifications or other professional licenses held, and the location in which the applicant lives and/or from which they will be performing the job.  All candidates are encouraged to apply.