Senior Product Security Engineer

Bonterra is a company dedicated to increasing the giving rate as a percentage of GDP, aiming to enhance the social good industry. They are seeking a Senior Product Security Engineer to integrate security into the software development lifecycle, collaborating with various teams to identify and mitigate security risks while supporting secure development practices.

Responsibilities:

• Lead threat modeling and security design reviews for assigned products and services
• Partner with product managers and engineering leads to help define practical security requirements and guardrails while reducing friction points
• Participation in the grows and evelotion of the Security Champion program helping enable and support secure development practices across the engineering teams
• Assess product architectures, data flows, and integrations to identify security risks and provide actionable recommendations for remediation
• Collaborate with teams to make informed, risk-based security decisions that consider real-world usage, customer impact, and business priorities
• Provide clear, actionable guidance to engineering teams on secure design patterns and implementation patterns
• Review and triage security findings from internal testing, bug bounty programs, and third-party assessments
• Support vulnerability disclosure and coordinated response with in collaboration with security and engineering partners
• Contribute to the development and adoption of secure-by-design patterns and reusable security components
• Contribute ideas, feedback, and implementation support toward product security metrics, practices, and roadmap initiatives under the guidance of senior security leadership
• Support DevOps and Application Security engineers by identifying gaps and assisting with improvements in existing DevSecOps workflows and CI/CD pipelines
• Help implement and maintain security tooling and automation for static Analysis (SAST), dynamic analysis (DAST), and other automated security checks within the CI/CD workflows
• Participate in audits and assessments by providing technical input and evidence in coordination with Risk & Compliance teams
• Assist customer-facing teams with security reviews and questionnaires by providing technical context and documentation when requested
• Stay current on emerging threats, attack techniques, and industry best practices

Requirements:

• 5+ years of experience in product security, application security, or secure software engineering
• Strong understanding of product architecture, APIs, and distributed systems
• Experience performing threat modeling and security design reviews
• Ability to assess security risk in the context of product functionality, customer experience, and business impact
• Experience collaborating cross-functionally with product managers and engineering teams
• Ability to influence and guide partners through collaboration rather than authority
• Working knowledge of modern application development practices, CI/CD processes, and how security integrates into them
• Familiarity with security tools including SAST, DAST, SCA, and related DevSecOps controls
• Strong understanding of common web application vulnerabilities (e.g., OWASP Top 10), and secure design principles
• Experience helping implementing security controls and automations within CI/CD pipelines
• Strong communication skills with the ability to translate technical risks into clear, actionable guidance
• Experience supporting interactions with external stakeholders such as customers, auditors, or partners on security-related topics
• Familiarity with common compliance frameworks such as SOC 2, NIST, ISO 27001, PCI-DSS, and HIPAA
• Background in software engineering, DevOps, or system architecture
• Experience working with SaaS platforms in a product-focused environment
• Familiarity with secure cloud architecture and configuration, particularly in AWS environments