Staff Security Engineer, Product Security

About the Role

We are looking for an experienced and versatile security engineer who brings both technical acumen and a developer mindset to their work. Our ideal candidate is motivated by helping to reduce risk while enabling the business to move quickly and safely. You will be a key member of the Security Engineering team, which carries the responsibility for the security of Attentive’s platform (we work in AWS) and customer-facing products (we build microservices primarily in Java). Practically, this spans a broad gamut of building and/or operating tools to secure our code and underlying systems from development to delivery, to detect and respond to abnormal behaviors, and to provide security testing and guidance to colleagues as they architect new systems and features.

As part of this team and in this role, you will lead our product and application security program, serving as the key player in our organization for guidance and action on making our product more secure for our clients.

You’ll find yourself working with a group of other talented security professionals of various backgrounds with a shared goal to shape the future of Attentive’s security program and provide a positive impact for the company and its customers.

Approach

At Attentive, we believe interacting with our security team and security controls should feel delightful and straightforward. Thus, the person in this role needs:

• A creative and solution-oriented attitude. You’ll leverage this when finding solutions that work for all stakeholders.
• The patience to fully understand developer teams’ processes and goals. You’ll need this so you can implement thoughtful, complementary security solutions.
• The ability to build automation into security processes. You’ll need this to reduce the security burden on our partner teams and support extremely rapid growth across the company.

What You'll Accomplish

• Architecture Design & Code Reviews: Perform secure design reviews, testing and code reviews of new systems and product features. Look for common security flaws such as injection attacks, cross-site scripting (XSS), and insecure configurations
• Automation & Tooling: Design, develop, implement and maintain tools to secure our code and underlying systems from development to delivery. This includes code scanning, dependency management, security testing, and CI/CD pipeline integration
• Engineering Support: Provide hands-on support to engineers to deploy security solutions, integrate security processes, harden services and remediate vulnerabilities - including encryption, authentication, authorization and input validation
• Threat Modeling: Lead the development of comprehensive threat models for new and existing products and infrastructure to identify, assess, and mitigate security risks
• Vulnerability Management: Establish and manage a vulnerability management lifecycle for our applications, ensuring timely detection, reporting, and remediation of security vulnerabilities
• Security Guidance: Establish secure coding practices and provide continuous security guidance to developers across engineering
• Documentation: Responsible for developing and maintaining security documentation and reports derived from penetration testing activities and product security tools

Your Expertise

• 7+ years of experience in Security with a focus in application/product security, with deep knowledge of web application technologies, identifying and remediating common vulnerabilities in code, the modern threat landscape for attack vectors, and commensurate cloud security fundamentals
• Proven knowledge and experience in building and automating processes, such as static code analysis using Semgrep, to make a positive impact in how code is shipped, not just a checkbox activity
• In-depth knowledge of common application & network protocols, cryptography, authentication & authorization protocols, and common security threats and attack techniques
• Bonus if you are well-versed in Java vulnerabilities or Gradle dependency management, and/or have experience in Kubernetes/container security
• Demonstrated impact in prior roles as a senior individual contributor or team leader to independently deliver impact for a security program through your own contributions and by influencing change through others
• Strong experience coding and reviewing code with one of these languages: Java, Python, Golang
• Bonus if you have experience working in AWS and deploying infrastructure as code
• Skilled at communicating complex technical ideas, risks and threats to non-technical audiences

You'll get competitive perks and benefits, from health & wellness to equity, to help you bring your best self to work.

For US based applicants:

• The US base salary range for this full-time position is $200,000 - $260,000 annually + equity + benefits
• Equity is a substantial part of the total compensation package
• Our salary ranges are determined by role, level and location