Key skills
Vulnerability management workflowsDependency scanningSecrets scanningInfrastructure as Code (IaC) scanningContainer scanningStatic Application Security Testing (SAST)Dynamic Application Security Testing (DAST)Git-based workflowsCI/CD systemsCloud-native development environmentsSecurity metrics and dashboardsVulnerability aggregation platformsGitHub EnterpriseGitHub ActionsSOC 2 complianceJira ticketing systemSupply chain securityGSEC certificationCertified DevSecOps Professional (CDP)CISSPCSSLPSSCPAnalyticsGitGitHubRepositoryJiraCI/CDLeadershipCommunication
About this role
YipitData is the leading market research and analytics firm for the disruptive economy, and they are seeking a Sr. Product Security Engineer to manage the organization's vulnerability management program. This role involves collaborating with engineering teams to ensure security controls are effective and vulnerabilities are tracked from discovery through remediation.
Responsibilities:
- Own the end-to-end vulnerability lifecycle: intake, triage, assignment, remediation coordination, verification, and closure across all finding sources (dependency scanning, secrets scanning, IaC scanning, container scanning, SAST, DAST, and manual assessments)
- Enforce severity-based SLAs, escalation paths, and ownership expectations. Track remediation timelines and follow up with engineering teams to ensure findings are resolved within policy requirements
- Aggregate findings centrally from all scanning tools and sources into a unified tracking system. Ensure every finding has a clear owner, status, and target remediation date
- Manage exception and risk acceptance workflows. Process exception requests, document compensating controls, and ensure approvals are captured with appropriate evidence
- Produce vulnerability posture reports and dashboards, including aging analysis, SLA compliance, scanner coverage, and trend reporting by severity, team, and business unit
- Coordinate with engineering teams on remediation prioritization, providing context on severity, exploitability, and business impact to support informed decision-making
- Drive reduction of aging findings through proactive follow-up, workflow automation, and escalation when remediation stalls
- Assist the DevSecOps Lead with implementation of baseline security controls such as branch protection, admin enforcement, pull request requirements, review approvals, code owners, secrets scanning, SCA, IaC scanning, and container image scanning
- Help integrate controls into repositories, CI/CD pipelines, registries, and deployment workflows as directed by the DevSecOps Lead and Platform Team
- Validate that controls are functioning as intended, producing actionable findings, and are difficult to bypass. Report gaps or misconfigurations to the DevSecOps Lead
- Assist with onboarding new teams to the secure pipeline by providing hands-on support, troubleshooting, and guidance based on approved templates and reference implementations
- Support the DevSecOps Lead in maintaining and socializing the Secure Software Development Lifecycle policy and implementation guide
- Help maintain templates, configuration standards, and setup guidance for teams adopting SSDLC controls
- Assist with reference repository maintenance, ensuring it stays current with approved Phase 1 controls and serves as useful onboarding documentation
- Participate in office hours, reviews, and implementation support sessions to help business units adopt secure development practices
- Own vulnerability management metrics and reporting, including finding counts by severity, aging, SLA compliance, remediation rates, and scanner coverage
- Contribute to broader security metrics such as control coverage, adoption rates, and exception tracking as directed by the DevSecOps Lead
- Prepare audit-ready evidence related to vulnerability management — demonstrating that findings are tracked, SLAs are enforced, and remediation is verified
- Support the DevSecOps Lead in preparing leadership updates, compliance evidence, and cross-functional communications
Requirements:
- 3–6 years of experience in security operations, vulnerability management, application security, DevSecOps, or a related security engineering role
- Hands-on experience with vulnerability management workflows — intake, triage, assignment, remediation tracking, and reporting
- Working knowledge of common scanning tools and finding types, including dependency scanning (SCA), secrets scanning, IaC scanning, container scanning, and/or SAST/DAST
- Familiarity with Git-based workflows, CI/CD systems, and cloud-native development environments
- Experience producing security metrics, dashboards, and reports for technical and leadership audiences
- Strong organizational and follow-through skills — ability to track many findings across multiple teams and drive them to resolution
- Clear written and verbal communication skills with the ability to coordinate across engineering, security, and business teams
- Experience with vulnerability aggregation platforms or security finding management tools
- Familiarity with GitHub Enterprise, GitHub Actions, or similar CI/CD platforms
- Experience supporting SOC 2 or similar audit and compliance requirements, particularly around vulnerability management evidence
- Exposure to ticketing system integrations (e.g., Jira) for vulnerability assignment and tracking workflows
- Familiarity with supply chain security concepts including SBOMs, image signing, and artifact integrity
- Relevant Certifications (preferred, not required): GSEC, Certified DevSecOps Professional (CDP), CISSP, CSSLP, or SSCP