Sr. Product Security Engineer
About Us
SailPoint is the Worldwide Leader for Enterprise-Class IAM. We minimize risk and maximize business growth by managing access to data and resources across your enterprise. We do it effectively and securely for every person who interacts with your organization—any user, on any device, anywhere in the world. We were first to recognize that companies could benefit from an approach to identity that addresses both IT and business priorities. We developed a unique, risk-based model and leveraged that approach for everything from compliance to user provisioning. Then we followed that with the industry's first solution for truly extending enterprise identity management to applications in the cloud.
Today, we offer comprehensive products that can handle enterprise IAM on-premises or as a cloud-based service. This gives you the freedom to choose the best solution for your current needs, while at the same time establishing a clear path for future growth.
SailPoint is seeking an Application Security Engineer to join our Security Team. Candidates should have a thorough understanding of the Software Development Lifecycle (SDLC), from initial design through ongoing penetration testing to vulnerability remediation. In this role, you will identify and validate vulnerabilities, work with engineering teams to identify the root cause and provide practical recommendations to remediate identified issues. We’re looking for a well-rounded engineer with a breadth of knowledge in application security.
Responsibilities:
- Perform design and code reviews for security best practices.
- Evaluate security vulnerability scan (SAST/DAST/IAST) findings and enforce remediation lifecycles.
- Research, investigate and perform risk analysis of new findings surfaced by various application security tools and services.
- Educate developers on application security best practices throughout the SDLC.
- Support software developers in triaging and remediating security issues.
- Manage tuning and filtering of security tooling to help remove false positives or false negatives.
- Evangelize security tooling throughout the organization.
- Be an influencer of change while maintaining a strong relationship with the engineering organization.
- Support vendor and partner security assessments
- Contribute to creation of security training and deliver to internal teams
- Coordinate and manage third party penetration test.
- Build and maintain bug bounty program
- Develop tooling and automation to facilitate continual testing and increase coverage
- Prepare reports on project progress and present results to internal and external development teams and management
- Contribute to maturing process, policy and standard guidance
Background & Experience:
- Strong sense of ownership, urgency and drive.
- Ability to proficiently code in Java, Objective-C, C++, Python and NodeJS.
- Ability to understand various application code base regardless of the programming language.
- Ability to describe security best practices to software development / engineering teams.
- Ability to understand complex software architectures and their deployment models.
- Ability to understand security issues identified by security scans regardless of application programming language.
- Solid understanding of web application security frameworks, including OWASP Top 10
- Ability to research, analyze, and understand known and new CVEs
- Strong knowledge of CI/CD build systems, microservices, and continuous integration/deployment practices.
Qualifications
- 1+ years of experience as a Software Developer or Security Engineer with active design & development experience in languages such as Java, Python, Objective-C and NodeJS.
- In-depth application development knowledge at least one of the following: Java, Python
- Experience with enterprise management of SAST/DAST/IAST tools.
- Experience working in collaboration with software engineering organizations to improve security posture.
- Must be self-directed and able to work independently as well as in a team environment.
- Resourceful in finding solutions.
- Proven consulting and facilitation skills.
- Excellent verbal and written communication skills.
Education:
Bachelor's degree in Computer Science or other technical discipline, or equivalent experience. Some combination of the following security certifications: OSCP, OSWE, CTP, GIAC, CPT/CEPT, etc. AWS or other cloud solution provider certifications a plus.
All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status.
All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or veteran status.