Application Security Engineer II

Summary

Join Viator, a Tripadvisor company, as an Application Security Engineer II and play a key role in enhancing our application security. You will proactively identify and mitigate security vulnerabilities, integrate security tools into our CI/CD pipelines, and educate developers on secure coding practices. Collaborate with engineering teams to ensure secure applications and contribute to improving our security posture. Lead security initiatives, mentor junior engineers, and build strong relationships with development teams. This role requires experience in threat modeling, secure coding practices, and working with security tools. Viator offers competitive compensation, flexible work arrangements, and various employee benefits.

Requirements

• Experience in threat modeling, focusing on common attack vectors like SQL injection and XSS
• Familiarity with the deployment order of AppSec tools, such as SCA, SAST, and DAST
• Ability to work with development teams to prioritize and manage vulnerability backlogs
• Understanding of the primary risks associated with open-source libraries, including outdated or vulnerable components
• Experience in following escalation processes for critical library vulnerabilities and assisting in their remediation
• Proficiency in using secret scanning tools and refining scanning rules to minimize false positives
• Knowledge of the difference between Application Security and Product Security
• Experience in following and reviewing security development guidelines
• Proven ability to lead smaller projects, such as implementing SAST tools or conducting developer training
• Can spot most security flaws in a system, but may miss complex ones
• Can describe how vulnerabilities can be exploited and provide valid attack scenarios
• Offers reasonable mitigation strategies for identified vulnerabilities (e.g., parameterized queries for SQLi)
• Can explain most security concepts clearly
• Basic knowledge of secure authentication best practices like hashed passwords and MFA
• Understands application-level risks and focuses on fixing specific issues
• Basic awareness of the secure development lifecycle (SDLC)

Responsibilities

• Proactively identify and mitigate security vulnerabilities in collaboration with engineering teams
• Integrate automated security testing tools into the CI/CD pipeline
• Provide feedback on secure design principles for new features and systems
• Review and contribute to playbooks for handling security incidents
• Lead basic threat modeling sessions and educate developers on secure coding
• Perform penetration assessments to identify security weaknesses
• Propose and implement improvements to security operations and processes
• Lead moderately complex security initiatives and projects
• Mentor junior application security engineers and contribute to their development
• Build strong relationships with development teams to influence and promote security best practices

Preferred Qualifications

Participation in internal bug bounty programs is a plus

Benefits

• Competitive compensation packages , including base salary and annual bonus
• ���Work your way” with flexibility to suit your lifestyle. We take a remote-friendly approach to collaboration, with the option to join on-site as often as you’d like in select locations
• Flexible schedule . Work-life balance is ingrained in our culture by design. Trust and accountability make it work
• Donation matching . Give back? Give more! We match qualifying charitable donations annually
• Tuition assistance . Want to level up your career? We love to hear it! Receive annual support for qualified programs
• Lifestyle benefit . An annual benefit to spend on yourself. Use it on travel, wellness, or whatever suits you
• Travel perks . We believe that travel is employee development, so we provide discounts and more
• Employee assistance program . We’re here for you with resources and programs to help you through life’s challenges
• Health benefits . We offer great coverage and competitive premiums