Staff Engineer, Application and Product Security

What you will be doing:

• Implement and maintain DevSecOps tools, including Static Application Security Testing (SAST), Software Composition Analysis (SCA), and secret scanning.
• Execute and refine security testing protocols, including penetration testing, Dynamic Application Security Testing (DAST), API security testing, web testing, and mobile testing.
• Automate high-fidelity end-to-end (E2E) testing for all API changes before production deployment. Integrate with existing engineering processes. 
• Lead Product Security Incident Response Teams (PSIRT) playbook, mature detection and response rules, and actively neutralize against product security threats (such as Account Takeover, API abuse, etc).
• Lead and execute threat modeling exercises across varying scope of the organization. Identify security gaps and control recommendations, including client and server-side controls.
• Design, review, and manage security controls, including user registration, authentication/authorization, password management, account takeover protection, and application layer threat detection. Enhance security tool accuracy and oversee vendor/open-source proof-of-concepts (PoVs).
• Evangelize and promote standardized application logging practices across the organization.
• Evaluate and provide strategic guidance on mitigating security risks efficiently.
• Contribute to various aspects of the Information Security Program, including data privacy, penetration testing, audit evidence production, security awareness training, and enterprise risk management.
• Guide engineers at all levels in designing and integrating security aspects into Greenlight’s products, services, and software development lifecycle (SDLC). Evangelize security culture through security champion program and technical developer-focused security training. 

What you bring:

• 10+ years of experience in application and product security with a strong software engineering foundation
• Expert understanding of mobile, web, cloud, container, and cryptographic technologies and security practices.
• Offensive security minded with in-depth knowledge of current and emerging cyber threats, testing procedures, and their mitigations.
• The ability to quickly and deeply learn new technology stacks and modern CI/CD pipelines, including Docker, Kubernetes, AWS, Kotlin, Node.js, Android, iOS, Swift, and gRPC.
• Strong independent critical thinking with the capability to form and defend opinions through knowledge sharing.
• Skillful in assessing and managing security risks with a pragmatic solution-first approach.
• Commitment to continuous improvement, ongoing education and knowledge sharing with peers.
• A humble, collaborative, and supportive approach to teamwork
• Relevant certifications (e.g OSCP, OSWE, GWAPT, GMOB, CISSP) are a plus.