Senior Product Security Engineer | Application Security

Position Summary

Do you enjoy the challenge of securing complex systems? Want to be a part of a collaborative team that builds solutions that protect some of the biggest networks in the world? ExtraHop is seeking a Senior Product Security Engineer, experienced with modern software development practices to build and operate product security program capabilities, tools, and processes that allow us to keep pace with a rapidly changing security landscape, reduce security risk and enable organizational success.

We're looking for candidates with a mix of software development and application security experience, who enjoy working in a collaborative environment and taking direct action to identify, remediate and prevent vulnerabilities and security issues.

You must have experience with securing web applications, APIs and software systems, working with public cloud infrastructure, and be familiar with container technologies.

 

Key Responsibilities

• Define standards for secure development and configuration of application and infrastructure components; and coordinate with other teams to ensure compliance with those standards

• Perform threat modeling, security design reviews, code reviews, and security consultations with software and systems engineers

• Implement, manage and improve vulnerability scanning tools (including SAST, DAST, SCA, and application fuzzing), configuration auditing and other security assessment tools

• Build and improve vulnerability management processes and tooling to support system owners to successfully 

• Conduct manual pen testing of new features + existing systems; lead red team exercises

• Coordinate third party pentesting and bug bounty programs

• Triage vulnerability findings, evaluate risk, recommend effective remediation actions

• Develop and deliver training on secure development standards and process

• Contribute to disaster recovery and contingency planning

• Perform and/or lead security incident response activities

• Participate in an on-call rotation with occasional after-hours paging to review carefully prioritized security detections

• Support security compliance & certifications programs (e.g., FedRAMP, NIST SP800-53, NIST CSF, SOC 2, ISO, FIPS 140-2, etc.) by becoming familiar with control requirements, owning/operating specific controls, and helping other teams meet requirements 

• Other duties as assigned

 

Required Qualifications

• Bachelor’s degree or equivalent experience in computer science, engineering, or information technology

• 8+ years of experience in security engineering, application security and software development

• Experience securing cloud-based web applications, APIs, data; performing security design reviews, code reviews and threat modeling exercises

• Knowledge of software security vulnerabilities and best practices for Golang, Typescript, Javascript, Python, C/C++, React

• Solid knowledge of Git

• Experience working with container-based environments (Kubernetes, Docker, LXC, etc.)

• Experience with AWS cloud platform

• Must be a U.S. citizen

Preferred Qualifications

• Obtained applicable certifications for software security, web application penetration testing or equivalent

• Experience securing a cloud service (i.e., software as a service (SaaS)) offerings and shippable software products

• Experience with meeting FedRAMP, NIST SP 800-53 and similar compliance requirements

• Experience with Google Cloud Platform (GCP) and Azure 

• Experience deploying and maintaining systems using modern Orchestration and Infrastructure-as-Code technologies

The base salary for this position rages from 136,600 - 180,000 plus bonus + benefits

 

Note: employees, including fully remote staff, are expected to attend two in-person events every year. These events are typically held in our offices in downtown Seattle and run 4-5 days each.