Senior Product Security Engineer

Summary

Join ExtraHop, a leader in network detection and response (NDR) technology, as a Senior Product Security Engineer. You will play a key role in building and operating our product security program, ensuring the security of our complex systems. This position requires a blend of software development and application security expertise, with a focus on securing web applications, APIs, and software systems in a cloud environment. You will define security standards, perform threat modeling and code reviews, manage vulnerability scanning tools, and conduct penetration testing. The ideal candidate possesses extensive experience in security engineering and software development, along with a strong understanding of cloud platforms and container technologies. ExtraHop offers a competitive salary and benefits package, including health insurance, paid time off, and a hybrid/remote work model.

Requirements

• Bachelor’s degree or equivalent experience in computer science, engineering, or information technology
• 8+ years of experience in security engineering, application security and software development
• Experience securing cloud-based web applications, APIs, data; performing security design reviews, code reviews and threat modeling exercises
• Knowledge of software security vulnerabilities and best practices for Golang, Typescript, Javascript, Python, C/C++, React
• Solid knowledge of Git
• Experience working with container-based environments (Kubernetes, Docker, LXC, etc.)
• Experience with AWS cloud platform
• Must be a U.S. citizen

Responsibilities

• Define standards for secure development and configuration of application and infrastructure components; and coordinate with other teams to ensure compliance with those standards
• Perform threat modeling, security design reviews, code reviews, and security consultations with software and systems engineers
• Implement, manage and improve vulnerability scanning tools (including SAST, DAST, SCA, and application fuzzing), configuration auditing and other security assessment tools
• Build and improve vulnerability management processes and tooling to support system owners to successfully
• Conduct manual pen testing of new features + existing systems; lead red team exercises
• Coordinate third party pentesting and bug bounty programs
• Triage vulnerability findings, evaluate risk, recommend effective remediation actions
• Develop and deliver training on secure development standards and process
• Contribute to disaster recovery and contingency planning
• Perform and/or lead security incident response activities
• Participate in an on-call rotation with occasional after-hours paging to review carefully prioritized security detections
• Support security compliance & certifications programs (e.g., FedRAMP, NIST SP800-53, NIST CSF, SOC 2, ISO, FIPS 140-2, etc.) by becoming familiar with control requirements, owning/operating specific controls, and helping other teams meet requirements
• Other duties as assigned

Preferred Qualifications

• Obtained applicable certifications for software security, web application penetration testing or equivalent
• Experience securing a cloud service (i.e., software as a service (SaaS)) offerings and shippable software products
• Experience with meeting FedRAMP, NIST SP 800-53 and similar compliance requirements
• Experience with Google Cloud Platform (GCP) and Azure
• Experience deploying and maintaining systems using modern Orchestration and Infrastructure-as-Code technologies

Benefits

• Health, Dental, and Vision Benefits
• Flexible PTO, Sick Time Prorated Based on Date of Hire, and All Federal Holidays (US Only) + 3 Days of Paid Volunteer Time
• Non-Commissioned Positions may be eligible to participate in the Annual Discretionary Bonus Plan
• FSA and Dependent Care Accounts + EAP, where applicable
• Educational Reimbursement
• 401k with Employer Match or Pension where applicable
• Pet Insurance (US Only)
• Parental Leave (US Only)
• Hybrid and Remote Work Model