Job Summary:

We are on a journey to build an industry-leading Digital Platform to power multiple existing brands and enable smooth integration of future brands. The Principal Application Security Engineer plays a critical role in our mission to deliver the most secure, privacy-focused, and compliant customer-facing brand websites.

Although this role is part of the Information Security organization, the experienced incumbent will be embedded with development teams and data scientists. They will collaborate effectively with various teams within technology and product, and be responsible and accountable for creating programs and driving the performance of secure software development practices, including addressing vulnerabilities and software security defects, and managing software supply chain threats and risks.

This opportunity rewards the incumbent with a chance to originate security programs, tasks, and methodologies to build products that allow more customers to enjoy our iconic brands.

Essential Functions

Application Development Lifecycle Security

• Independently ensure identified software defects are properly triaged, prioritized based on criticality, and mitigated.
• Automate discovery, profiling, and continuous security monitoring of code.
• Integrate the security toolset into the CI/CD pipeline.
• Manage current application security toolset and advise on improvements.
• Define, document, and update the software supply chain program, including software bill of materials (SBOM).
• Inventory, document, monitor, and secure production APIs.
• Conduct threat assessments, build threat models, and create remediation plans.
• Perform or facilitate security risk assessments.
• Engage web application penetration testers as needed.
• Guide discussions on security strategy and architecture changes.
• Work with the privacy function to implement data protection requirements.

Vulnerability Disclosure Program

• Manage vulnerabilities identified by independent researchers and vet them for accuracy.
• Assess vulnerabilities against risk and criticality and manage them alongside other security defects.

Additional Responsibilities

• Define and develop the Application Security strategy and roadmap.
• Conduct necessary testing, scanning, and remediation of internet-facing web applications for ADA compliance.
• Manage the development environment Identity and Access Management.
• Ensure security policies for data at rest and in transit in cloud assets.
• Manage vendor relationships, including contract review, quarterly business reviews, and performance metrics.
• Design security compliance metrics that align with Application Security requirements.
• Assist with triaging potential security incidents.

Skills & Abilities

• Knowledge of GCP and AWS.
• Proficiency in Python or other scripting languages.
• Ability to work independently with minimal supervision.
• Strong interpersonal and communication skills to interact with IT, security, and business leaders.
• Ability to identify or develop creative solutions to complex business issues.
• Strong project management skills.