Application Security Engineer

Description

Sprout Social is looking to hire an Application Security Engineer to the IT team.

Why join Sprout’s IT team?

Sprout’s Corporate IT team is a combination of adjacent squads working on projects under one umbrella. This unique structure is an exciting opportunity to grow your career in technology with exposure to projects all across our discipline—something you don’t see often in other organizations. It allows us to move quickly and collaborate with minimal friction or red tape. As a part of this team, you’re also given the space and encouraged to stretch beyond your core function, and make a deeper impact on the broader organization. In short, the work you do here matters, and you feel that day in and day out. 

What you’ll do

• Conduct automated and manual testing of our web applications, micro-services, APIs, infrastructure, and other properties to identify vulnerabilities
• Work with engineering teams to complete targeted reviews of new features at key points of the software development lifecycle
• Work with development teams to transparently build security checks into the CI/CD pipeline
• Oversee our bug bounty program. Set scope, triage submissions, coordinate escalations to engineering teams, and reward bounties. Cultivate relationships with the ethical hacker community.
• Identify metrics that can help measure effectiveness of controls, gaps in coverage, need for head count, and trends in findings.
• Effectively communicate with others in the organization about open security risks, contributing factors to and prioritization of those risks to collaboratively develop new security standards and reference architectures
• Participate in a security on-call schedule and help support operational work related to your focus area
• Establish yourself as a technical expert and foster a security-first culture through education, skill development, and implementation of effective processes and practices

What you’ll bring

These are the minimum qualifications that our hiring team is looking for in this role:

• 3+ years of experience performing security assessments for a variety of systems, applications, APIs, and proprietary technology to secure cloud-based and containerized environments
• Advanced knowledge and understanding in various disciplines: web application security, mobile app security, network security, operating system internals and hardening, applied cryptography, cloud computing. (You're expected to be an expert in at least one of these areas.)
• Experience writing and maintaining code in at least one common programming language such as Python, Go, Javascript, etc and a desire to continue learning
• Experience with manual and automated software testing, fuzzing, static/dynamic code analysis, and manual code reviews

Additionally, these are the preferred qualifications that would indicate a particularly strong candidate:

• Experience leading “shift left” efforts to transparently build security into the software development lifecycle and implement pragmatic defenses
• Familiarity with technology/tools such as Kubernetes, Docker, Jenkins, Terraform, AWS, Github, etc
• Experience managing a vulnerability management program, performing documenting threat modeling processes, and an expert in determining the severity of a vulnerability to the business.
• Strong verbal and written communication, and the ability to tailor your message to audiences across and beyond the organization
• Have experience building security tools, scripts, and automation
• Have familiarity with AI/ML security risks such as data poisoning, model extraction, adversarial examples, etc. and mitigations
• Certifications such as GWAPT, eWPT/eWPTx, OSCP, OSWA, CISSP, or other relevant certifications are highly preferred.

How you’ll grow

Within 1 month, you will have:

• Experienced Sprout’s in-depth onboarding, covering everything from our company mission and values, hearing directly from executives and founders, to deep training on our products and the value that Sprout delivers to our customers
• Made a plan with your manager and colleagues to set initial priorities, align on expectations for your role, plant goalposts for your career, and learn about Sprout’s approach to security
• Learned our existing tooling and begin monitoring the status of our environments
• Begun collaborating regularly with teammates and get up to speed on our current and future initiatives
• Begun receiving feedback on your approach to managing and engaging our existing risks and security capabilities

Within 3 months, you will have:

• Have worked with teammates to create and prioritize team quarterly objectives and key results
• Begun deconstructing larger security projects into smaller, more manageable deliverables
• Started fully understanding the breadth and depth of technologies and tools under the team’s purview
• Evaluated and triage alerts triggered from our monitoring platforms
• Participate in Security on-call rotation
• Build connections with members from other teams through active networking and community building to help foster a security-first culture

Within 6 months, you will have:

• Measurably improved the security tooling and telemetry used at Sprout
• Examples of security gaps identified within our systems, plans documented to mitigate identified risks, and work prioritized within various team’s workstreams
• Improved upon internal and external security policies and standards
• Created standard reports on security health and recommendations based on KRI and other measurable metrics
• Completed your first semi-annual performance review with your manager, where you’ll discuss your accomplishments in your role and work together to build goals/objectives and personal key results for your professional growth

Within 12 months, you will have:

• Become a go-to expert and application security representative within Sprout
• Become a trusted partner in the creation of the security roadmap for future work
• Effectively communicated with partners across the organization to ensure big-picture alignment and encourage cross-team collaboration
• Surprise us! Use your unique ideas and abilities to change Sprout Security in beneficial ways that we haven’t considered yet

Of course, what is outlined above is the ideal timeline, but things may shift based on business needs and other projects and tasks could be added at the discretion of your manager.

Our Benefits Program

We’re proud to regularly be recognized for our team, product and culture. Our benefits program includes:

• Insurance and benefit options that are built for both individuals and families
• Progressive policies to support work/life balance, like our flexible paid time off and parental leave program 
• High-quality and well-maintained equipment—your computer will never prevent you from doing your best
• Wellness initiatives to ensure both health and mental well-being of our team
• Ongoing education and development opportunities via our Grow@Sprout program, employee-led diversity, equity and inclusion initiatives and mentorship programs for aspiring leaders
• Growing corporate social responsibility program that is driven by the involvement and passion of our team members

Candidates for this remote work opportunity must be based in either British Columbia or Ontario. If you are based in another location within Canada, we aren’t able to hire in your location at this time; however, if you’d like to stay in touch with us in case that changes in the future, please apply and we’ll save your application for possible future consideration.

#LI-Remote

When you apply for employment with Sprout Social, we will process your job applicant data, including your employment and education history, transcript, writing samples, and references as necessary to consider your job application for open positions. Your personal data will be shared with Greenhouse Software, Inc., and Crosschq, Inc., cloud services providers located in the United States of America and engaged by Sprout Social to help manage its recruitment and hiring process on Controller’s behalf. Accordingly, if you are located outside of the United States, by clicking “Submit Application” on this site, you consent to the transfer of your personal data to the United States. For more information about our privacy practices please visit our Privacy Policy. California residents have additional rights and should review the Additional Disclosures for California Residents section in our Privacy Policy.