Product Security Engineer

Summary

The Product Security Engineer will help drive the security hardening strategy, lead security design reviews, evaluate and implement security tools, understand emerging threats, participate in security incident response, and more. This role requires a technical foundation, proficiency in SDL process, experience with large-scale web applications, excellent problem-solving skills, and active contribution to the security community.

Requirements

• Demonstrated technical foundation
• Solid understanding of common application and infrastructure security vulnerabilities and mitigations (OWASP Top 10, CWE 25…)
• Proficiency implementing SDL process, technology, and automation in a DevOps environment
• Experience with large-scale web applications and microservices, including API design, access management, authorization, authentication, data protection and encryption
• Excellent problem solving, critical thinking, collaboration and communication skills
• Experience driving application security training, security champions and awareness campaigns
• Active contributor to the security community (research, open source, publications…)
• Knowledge of major programming languages and frameworks (e.g. Python, C# .NET, JavaScript, node.js, Java...)
• Generally requires three (3) plus years of technical security experience at top-tier software companies
• Computer Science / Engineering degree or equivalent experience with an ability to translate technical vulnerabilities into organizational risks

Responsibilities

• Drive cross-functional projects and establish cutting-edge security development lifecycle practices
• Lead security design reviews and threat modeling for new and existing services at iHerb
• Evaluate, prototype, implement, and operate security-focused tools and services
• Develop new secure architecture standards, frameworks and patterns spanning multiple layers
• Understand and analyze emerging security threats, determining applicability to iHerb and proactively implement centralized mitigations
• Evaluate, prototype, implement, and operate security tools and services (DAST, SAST, SCA...)
• Maintain a strong knowledge of current security threats and operational best practices
• Take part in our security assessment, penetration testing and bug bounty programs
• Participate in security incident response

Benefits

• Employees (and their families) that meet eligibility criteria as outlined in applicable plan documents are eligible to participate in our medical, dental, vision, and basic life insurance programs
• Employees will also be eligible for Time Off and Paid Sick Leave pursuant to the company’s policies
• Employees will enjoy paid holidays throughout the calendar year
• Hired applicant may be awarded Restrict Stock Units and receive annual bonuses pursuant to eligibility and performance criteria defined in the respective plan documents and policies