Product and Application Security Manager

Summary

Join Benevity, a B Corporation committed to purpose and profits, as the Manager of Product and Application Security. You will play a critical role in integrating security into the software development lifecycle, ensuring our products and applications are secure and trusted. This position involves overseeing security practices, implementing security solutions, conducting risk assessments, managing responsible disclosure, and fostering a culture of security awareness. You will partner with engineering teams, clients, and external researchers to protect our platform and users. Benevity offers a Community First approach, allowing for a hybrid work model with at least 50% in-office time for those within commuting distance. We are committed to diversity, equity, inclusion, and belonging, creating a culture where everyone feels valued and celebrated.

Requirements

• Bachelor’s degree in Computer Science, Information Security, or relevant experience in a related field
• 8+ years of progressive experience in application security, with a strong focus on secure development, vulnerability management, and DevSecOps. Demonstrable experience leading and mentoring security teams
• Hands-on expertise with Static Code Analysis (SAST), Software Composition Analysis (SCA), API security, and Microservices security best practices
• Experience with penetration testing methodologies, vulnerability scanning tools, and risk assessment frameworks
• Deep understanding of security risks, their criticality, and how to prioritize remediation in an agile development environment
• Familiarity with security frameworks such as OWASP SAMM, BSIMM, or NIST CSF
• Experience implementing security in modern development practices, including CI/CD pipelines, container security, and cloud security
• Experience with responsible disclosure programs and working with external security researchers and clients
• Strong problem-solving and analytical skills, with the ability to communicate security concepts effectively to both technical and non-technical audiences

Responsibilities

• Partner with development and DevOps teams to embed security into CI/CD pipelines, ensuring security is a seamless part of software delivery
• Lead the selection, implementation, and ongoing management of Static Code Analysis (SAST), Software Composition Analysis (SCA), and Dynamic Application Security Testing (DAST) solutions. Develop and maintain metrics to demonstrate the effectiveness of these tools
• Design and enforce security best practices for API and Microservices Security, including authentication, authorization, and secure data transmission. Provide expert guidance and consultation on API security best practices
• Mentor and coach engineering teams on secure coding practices, secure software design principles, and threat modeling methodologies. Develop and deliver training programs on advanced security topics
• Conduct comprehensive risk assessments on applications, identifying vulnerabilities and their potential business impact
• Oversee penetration testing efforts, analyzing findings and working closely with engineering teams to remediate vulnerabilities
• Develop and maintain a risk-based prioritization framework, balancing security vulnerabilities with business impact, engineering priorities, and regulatory requirements. Communicate risk assessments and mitigation plans to senior leadership
• Continuously monitor and improve Benevity’s security posture by analyzing application security metrics, threat intelligence, and industry trends. Proactively identify and address emerging threats
• Manage and enhance Benevity’s Responsible Disclosure Program, ensuring security researchers and external parties have a clear and efficient process for reporting vulnerabilities. Develop and maintain communication protocols for handling responsible disclosures
• Engage with clients, external researchers, and vendors on publicly disclosed vulnerabilities, ensuring transparent and effective remediation
• Lead security incident response efforts related to product vulnerabilities and coordinate public disclosures as needed
• Deliver security training for developers and engineers, focusing on secure coding, threat modeling, and emerging risks
• Foster a culture of security awareness and ownership within the product and engineering organization, promoting security as an enabler rather than a blocker. Champion security initiatives and drive adoption of secure development practices
• Provide guidance on security standards such as OWASP Top 10, NIST, and ISO 27001 to align product security with industry best practices
• Continuously evaluate emerging security tools and technologies, integrating the best solutions to enhance application security
• Align security strategies with compliance and regulatory frameworks relevant to Benevity’s operations
• Work closely with DevOps and platform teams to implement security automation and infrastructure-as-code security solutions

Preferred Qualifications

Relevant security certifications (e.g., CISSP, CISM, OSCP, CSSLP, GWAPT)

Benefits

• Innovative work
• Growth opportunities
• Caring co-workers
• A chance to do work that fills us with a sense of purpose
• Hybrid work model with at least 50% in-office time for those within commuting distance