Job Description :
Product Security Engineer
Location: Burlington, MA (Locals Only)
USC & GC only (Unable to sponsor at this time)
Full Time, Onsite
Phone then f2f
Description
The Product Security Engineer works with internal product teams to secure Client’s product portfolio. As part of the Research team, the Product Security team’s primary charter is to provide security subject matter expertise to engineering teams throughout the organization.
Responsibilities
Provide mentorship and technical guidance to product teams to support cross-product SDLC initiatives.
Design and implement innovative approaches to Product Security compatible with a DevSecOps model.
Review internally developed code for advanced security issues as part of an agile development process.
Conduct comprehensive security reviews and lead threat modeling for new and existing software products.
Assist development teams with understanding and addressing potential security issues revealed by manual or automated review.
Evaluate the security posture of third party libraries and frameworks and provide product teams with guidance and documented best practices for safely incorporating them into their products.
Develop and maintain internal libraries that provide common implementations of critical security controls.
Work with product teams to understand and respond to security advisories in third party components as part of a Product Security Incidence Response Team.
Requirement
You should love tackling difficult problems, and you should be able to learn new things quickly and independently. You will be asked to understand the security posture and attack surface of products and development frameworks that you’ve had no past experience with, and you will need to do so methodically and comprehensively. It’s also crucial that you’re an effective communicator, as you’ll collaborate frequently with engineers to guide them in understanding and addressing security issues. You’ll also need:
7-8 years of practical application security work experience, preferably including some or all of the following: source code auditing, penetration testing, product assessments, vulnerability research, reverse engineering, and related pursuits.
2-3 years of practical software development experience. This could be either commercial development work or a portfolio of personal projects. Strong familiarity with the Java/J2EE language and modern web development including JavaScript (e.g. AngularJS, Node.js, etc. Experience with python, .NET, and modern CI/CD pipelines a plus.
A “breaker” mentality – Client is defense-oriented, but offensive-minded engineers bring a useful and necessary perspective. The ability to assess the attack surface of a piece of software is extremely important.
Compassion for developers. Security and Engineering work together towards common goals at Client and not against each other.
Prototyping ability – the skill to hack something together quick and dirty to solve a problem and demonstrate feasibility.
Experience using and/or customizing commercial SAST, DAST, IAST, or RASP technologies a major plus, but not required.
Excellent attention to detail, quality, and customer satisfaction. Consulting experience a plus.
Strong analytical, organizational, and technical writing skills.
B.S. in Computer Science or equivalent industry experience.