Key skills
Technical security leadershipSecurity design reviewsThreat modelingSecurity architectureSDLApplication security vulnerabilitiesLarge-scale web applicationsProgramming languagesProblem solvingCollaboration skillsCommunication skillsAttention to detailJavaScriptPythonJavaC#C.NETNode.jsAWSDockerEC2CloudflareLeadershipCommunicationCritical ThinkingProblem SolvingCollaborationOWASPPenetration Testing
About this role
iHerb is a global leader in health and wellness eCommerce, seeking a Principal Application Security Engineer to enhance their security practices. The role involves leading security initiatives, ensuring secure development processes, and addressing emerging security threats across their platforms.
Responsibilities:
- Lead cross-functional projects and establish cutting-edge security development lifecycle practices
- Directed security design reviews and threat modeling for new and existing services at iHerb
- Evaluate, prototype, implement, and operate security-focused tools and services
- Create new secure architecture standards, frameworks and patterns spanning multiple layers
- Discover and analyze emerging security threats, determining applicability to iHerb and proactively implement centralized mitigations
- Evaluate, prototype, implement, and operate security tools and services (DAST, SAST, SCA...)
- Maintain a strong knowledge of current security threats and operational best practices
- Drive our security assessment, penetration testing and bug bounty programs
- Participate in security incident response
Requirements:
- Demonstrated technical foundation (Computer Science / Engineering degree or equivalent experience) with an innate ability to translate technical vulnerabilities into organizational risks
- 8+ years of technical security leadership at a top-tier software company including experience with security products, threat modeling, security design, security architecture, cryptography, mobile security, and broader cloud computing technologies
- Solid understanding of common application and infrastructure security vulnerabilities and mitigations (OWASP Top 10, CWE 25…)
- Proficiency implementing SDL process, technology, and automation in a DevOps environment
- Experience with large-scale web applications and microservices, including API design, access management, authorization, authentication, data protection and encryption
- Knowledge of major programming languages and frameworks (e.g. Python, C# .NET, JavaScript, node.js, Java...)
- Excellent problem solving, critical thinking, collaboration and communication skills
- Experience with Cloudflare security, AWS VPCs, EC2 instances and docker
- Ability to drive good decisions through data with great attention to detail and deliver KPIs
- Experience driving application security training, security champions and awareness campaigns
- Active contributor to the security community (research, open source, publications…) with the ability to attract and hire great talent