Senior Application Security Engineer II

Shutterfly is a company that focuses on making life's experiences unforgettable through self-expression. They are seeking a Senior Application Security Engineer to enhance their Application Security program, ensuring the security of critical applications while educating developers on vulnerability remediation.

Responsibilities:

• Manage our bug bounty program including triage, assessing impact, risk scoring (CVSS), helping to locate the vulnerable code, providing mitigation guidance, performing thorough re-testing, and refining program policy and scope as needed
• Vulnerability Management: Identify, triage, and remediate application vulnerabilities (SAST, SCA, IAST) using automated tools or manual testing
• Web Penetration Testing: assisting with internal web pen tests and coordinating with 3rd party testers
• Threat Modeling & Risk Assessment: Lead threat modeling exercises and perform risk assessments for new and existing applications
• Incident Response: Collaborate with incident response teams to investigate and remediate application-related security incidents
• Security Tooling: Evaluate, implement, maintain and decommission security tools and platforms to support application security efforts (SAST, SCA, DAST, IAST, RASP, WAF, ASPM, CNAPP, CSPM)
• Continuous Improvement: Keep up-to-date knowledge of relevant security threats, mitigations and security best practices
• Secure SDLC: Define and implement secure development practices, including code reviews, static/dynamic analysis, and CI/CD pipeline integration
• Provide guidance and recommendations to software engineering teams to implement effective security measures to mitigate risks
• Become a Subject Matter Expert and top technical resource to engineers around the organization
• Help engineers reproduce vulnerabilities, understand their impact, document issues, mitigate or retest the effectiveness of a fix, etc
• Perform and lead code reviews of critical PRs and code changes
• Security Architecture & Design: Partner with engineering teams to design secure systems and applications, ensuring security is built-in from the ground up
• Initiate and lead design, architecture, and solution reviews
• Mentorship & Leadership: Mentor junior security engineers and developers on secure coding practices and security principles
• Build relationships with stakeholders and business leaders across the organization
• Cross-Functional Collaboration: Work closely with product, engineering, DevOps, and compliance teams to align security with business goals

Requirements:

• Bachelor's degree in computer science, cybersecurity, or related technical field
• Proficient in one modern programming language (preferably Java) and can review code in most major languages
• Strong analytical and problem-solving abilities with a risk-based security approach
• Advanced user of Burp Suite Pro, bonus if you have created custom extensions in Java or Python and have used or modified existing extensions
• Excellent communication and collaboration skills, able to work across IT, engineering, and business teams
• Full stack web development experience within an active security program
• Experience managing a bug bounty program
• Have a security certification that demonstrates proficiency in web assessments, secure coding, and professional report creation (For example: OSWA, OSWE, GWAPT, GWEB)
• Submitted reports to bug bounty programs or VDPs, and you've found a CVE along the way
• Strong command-line and scripting skills (bash, zsh, Python) on Linux and Mac
• Enjoy attending security conferences and occasionally participate in CTFs
• Spend time on cyber security training platforms (HackTheBox, TryHackMe)
• Work with engineering teams to develop secure code libraries
• Experience deploying and managing a RASP solution (e.g. Contrast, Prevoty) on multiple tech stacks
• Capable of rapidly learning and integrating emerging tools and platforms with minimal supervision