Application Security Engineer

at  Sprout Social

DESCRIPTION

Sprout Social is looking to hire an Application Security Engineer to the IT team.

WHAT YOU’LL BRING

These are the minimum qualifications that our hiring team is looking for in this role:

• 3+ years of experience performing security assessments for a variety of systems, applications, APIs, and proprietary technology to secure cloud-based and containerized environments
• Advanced knowledge and understanding in various disciplines: web application security, mobile app security, network security, operating system internals and hardening, applied cryptography, cloud computing. (You’re expected to be an expert in at least one of these areas.)
• Experience writing and maintaining code in at least one common programming language such as Python, Go, Javascript, etc and a desire to continue learning
• Experience with manual and automated software testing, fuzzing, static/dynamic code analysis, and manual code reviews

Additionally, these are the preferred qualifications that would indicate a particularly strong candidate:

• Experience leading “shift left” efforts to transparently build security into the software development lifecycle and implement pragmatic defenses
• Familiarity with technology/tools such as Kubernetes, Docker, Jenkins, Terraform, AWS, Github, etc
• Experience managing a vulnerability management program, performing documenting threat modeling processes, and an expert in determining the severity of a vulnerability to the business.
• Strong verbal and written communication, and the ability to tailor your message to audiences across and beyond the organization
• Have experience building security tools, scripts, and automation
• Have familiarity with AI/ML security risks such as data poisoning, model extraction, adversarial examples, etc. and mitigations
• Certifications such as GWAPT, eWPT/eWPTx, OSCP, OSWA, CISSP, or other relevant certifications are highly preferred.

WHAT YOU’LL DO

• Conduct automated and manual testing of our web applications, micro-services, APIs, infrastructure, and other properties to identify vulnerabilities
• Work with engineering teams to complete targeted reviews of new features at key points of the software development lifecycle
• Work with development teams to transparently build security checks into the CI/CD pipeline
• Oversee our bug bounty program. Set scope, triage submissions, coordinate escalations to engineering teams, and reward bounties. Cultivate relationships with the ethical hacker community.
• Identify metrics that can help measure effectiveness of controls, gaps in coverage, need for head count, and trends in findings.
• Effectively communicate with others in the organization about open security risks, contributing factors to and prioritization of those risks to collaboratively develop new security standards and reference architectures
• Participate in a security on-call schedule and help support operational work related to your focus area
• Establish yourself as a technical expert and foster a security-first culture through education, skill development, and implementation of effective processes and practices

These are the minimum qualifications that our hiring team is looking for in this role:

• 3+ years of experience performing security assessments for a variety of systems, applications, APIs, and proprietary technology to secure cloud-based and containerized environments
• Advanced knowledge and understanding in various disciplines: web application security, mobile app security, network security, operating system internals and hardening, applied cryptography, cloud computing. (You’re expected to be an expert in at least one of these areas.)
• Experience writing and maintaining code in at least one common programming language such as Python, Go, Javascript, etc and a desire to continue learning
• Experience with manual and automated software testing, fuzzing, static/dynamic code analysis, and manual code review