Staff Application Security Engineer

Job Description:

As an Staff Application Security Engineer at EDB you will report directly to the Director of Information Risk Management as a trusted member of the CISO staff. Your role leads the transformation of the security and development processes within EDB, helping the organization identify, repair and protect against vulnerabilities throughout a secure software development lifecycle (SDLC). You are responsible for understanding multiple security frameworks, translating objectives, partnering with stakeholders and promoting best practices across all EDB products. The ideal candidate must be comfortable working in a global environment that supports flexible work schedules, and a distributed security model. Whether you are looking to expand autonomy in your role, build a new security foundation, or just needing a change of pace this role is for you!

What your impact will be:

• Support the development and implementation of EDB’s application security services to be consumed by product teams and within our global infrastructure. 
• Serve as an expert on application security frameworks and objectives by assisting owners as they define new control activities and seek maturity in their development processes
• Build tools, processes and solutions that improve the security of EDB’s products and data
• Collaborate with internal engineering stakeholders on addressing systemic security issues
• Grow and mature relationships with internal security SMEsin a way that bridges the gap between product teams and information security 
• Support Vulnerability Disclosure Program, triage, assess and analyze vulnerability reports submitted through the VDP, prioritizing them based on severity, risk, and exploitability.
• Coordinate vulnerability remediation, Work with internal development teams to reproduce, validate, and prioritize vulnerabilities. Facilitate timely patch development and deployment, ensuring efficient resolution.
• Produce application security metrics that demonstrate a continually improving application security posture
• Partner with InfoSec Program Management on the roadmap and execution of security initiatives.
• Support and manage EDB’s Vulnerability Disclosure program 
• Proficiency with threat modeling frameworks such as STRIDE, DREAD, PASTA, or OCTAVE.
• Experience with threat modeling tools, especially the process of selecting and implementing a new tool to partner with a new threat modeling process.
• Experience with Open Source Software (OSS) including familiarity with various open source licenses like MIT, GPL, Apache etc. 
• Experience with implementation of security best practices related to securing the software supply chain, including patch management, vulnerability scanning, package management and tooling.

What you will bring:

• Extensive experience working with developers and driving application security standards
• Experience securing CI/CD pipelines enabling strong security controls through the implementation of commercial and custom built tooling
• Conduct application design reviews and support the development of compensating security solutions
• Drive the integration of secure development standards, tools, and processes into the development lifecycle
• Experience in threat modeling frameworks and processes
• Experience performing code audits on internal and open source libraries 
• Experience with DAST, SAST, SCA as well as manual testing techniques
• Ability to demonstrate strategic thinking beyond the specific responsibilities of the role
• Effective communication skills with the ability to translate technical concerns into business risk impacts
• Personal management of multiple projects, security events and incidents as required for the role
• Seek to understand, lead with a collaboration first approach
• Experience assessing technical footprints found within on-prem and cloud environments
• Strong experience in NIST 800-218 SSDF, BSIMM, Owasp SAMM,  or similar frameworks

What will give you an edge:

• RedTeam knowledge and experience
• Experience performing security code reviews
• Experience with IaaS cloud infrastructure, Infrastructure as code,  kubernetes container technologies, and software-oriented architecture
• Knowledge of the MITRE ATT&CK Framework and attack chains
• Experience building and operating security tools in Multiple Operating Systems and various languages (C, Go, JavaScript, Python, Ruby, etc)