Senior AppSec Engineer
Demandbase is the Smarter GTM™ company for B2B brands. We help marketing and sales teams overcome the disruptive data and technology fragmentation that inhibits insight and forces them to spam their prospects. We do this by injecting Account Intelligence into every step of the buyer journey, wherever our clients interact with customers, and by helping them orchestrate every action across systems and channels - through advertising, account-based experience, and sales motions. The result? You spot opportunities earlier, engage with them more intelligently, and close deals faster.
As a company, we’re as committed to growing careers as we are to building world-class technology. We invest heavily in people, our culture, and the community around us. We have offices in the San Francisco Bay Area, New York, Seattle, and teams in the UK and India, and allow employees to work remotely. We have also been continuously recognized as one of the best places to work in the San Francisco Bay Area.
We're committed to attracting, developing, retaining, and promoting a diverse workforce. By ensuring that every Demandbase employee is able to bring a diversity of talents to work, we're increasingly capable of living out our mission to transform how B2B goes to market. We encourage people from historically underrepresented backgrounds and all walks of life to apply. Come grow with us at Demandbase!
About the role:
As a Product Security Engineer you will work closely with our engineering and development teams throughout the software development lifecycle. At a high level we expect you to be proficient in manual and automated code reviews, threat modeling, and providing timely and practical product security advice. We are keen on helping our engineers to design and build secure products and services by shifting left and incorporating principles of zero-trust and security at-scale in a fast-paced, multi-cloud environment. You must be eager to learn, teach, cross-train, and work with multiple groups across multiple time zones (IST, PST, EST).
What you’ll be doing:
- Perform targeted, timebound, gray/blackbox technical security assessments on our web applications, mobile clients, APIs, and internal tools
- Identify and prioritize risks by performing Threat Modelling using realistic and relevant abuse scenarios based on recognized frameworks such as DREAD, STRIDE and ATT&CK
- Own our security checklist review and automation process and implement process improvements to support self-service and risk-based flexible review options
- Provide developers and engineers with self-service tooling (IDE plugins, AI automation, etc) and facilitate targeted training opportunities to help them design and write secure code
- Work hand-in-hand with Ops and cloud security teams to make sure our SDLC process and CICD pipeline security is best-in-class
- Support internal and external security testing, reporting and remediation requirements such as annual pentest, red teaming, and bug bounty, etc
- Monitor, track, and report product security metrics and manage the issue remediation SLA across all our products and services
- Hold product security office hours and facilitate team collaboration and sharing activities such as mentoring junior team members, organizing monthly lunch-n-learns, quarterly bug bashes, and annual hack-a-thons
- Stay abreast of emerging classes of vulnerabilities and develop solutions and strategies to address them in our platform
What we're looking for:
- 4-6 years of relevant experience in a similar role
- Proven experience in conducting and leading security reviews of web applications in a modern, multi-cloud and fast-paced environment
- Impeccable written and verbal communication skills and a strong ability to communicate with empathy and credibility when delivering feedback and security recommendations to engineers and product owners
- Expert familiarity in common web application testing tools, such as Burp Suite, ZAP or Postman and ability to apply that knowledge to practical testing scenarios
- Expert knowledge of common security flaws (OWASP Top 10, CWE Top 25) as well as how to identify and mitigate them
- Knowledgeable in testing code and applications across various supported platforms such as OSX, Linux, Windows, iOS, Android, etc. for security issues
- Strong understanding of large scale web application security architecture and security at-scale design principles
- Strong knowledge of deploying, operating and securing web applications and APIs in multi-cloud environments such as AWS, GCP, and Azure
Nice to haves (pluses):
- Though this is not a development role, some background in software engineering in a collaborative and multi-cloud environment is a plus
- Experience with cloud security tools like Wiz, Orca, Aqua or similar
- Proficiency in scripting in at least one programming language
- Ability to automate security testing and improve productivity in security assessments
- Relevant degrees or security certifications like GWAPT, GPEN, OSCP, CEH, etc.