Senior Engineer - Product Security

Senior Engineer - Product Security College Board - Technology Remote About the Team The College Board Product Security team is close knit and enthusiastic group of technologists with a thirst for knowledge in all things Security and Cloud. We collaborate closely daily to investigate and solve problems and have strong alignment with our Product Teams in order to be a step ahead in securing the organizations suite of Products. We are an agile organization, embracing DevSecOps and cloud-native systems, and are focused on improving speed and security of service delivery in support of our important mission. Our team is committed to diversity and inclusion, and we work to ensure everyone on the team has a voice. We hire great people from a wide variety of backgrounds and experience. About the Opportunity Our College Board Product Security Engineers work closely with Information Security, Governance and Compliance and Product teams to achieve product and security business objectives. They support the implementation of secure development practices, threat modelling, architecture, design, vulnerability assessments and security verification, as well as defining the security standards and managing operations for a variety of products and security tools. In this role, you will frequently interact with a variety of stake holders in Technology and on the Business side to provide hands on risk remediation or recommendation solutions, including secure patterns and mitigation strategies. You will understand our product landscape and propose, and drive to implementation, new innovative security solutions, updates to existing solutions, negotiate alternative options and build technical and release roadmaps. As a Senior Engineer, you will lead and mentor junior team members supporting their growth and development in Product Security concepts, tools and best practices. In this role, you will :

• Partner Program - Partnership Development (50%)
• Act as a liaison between Product Security teams (both in IT and outside of IT) and the Information Security Office via regular engagements with assigned Partner teams. Embed into planning and grooming sessions.
• Develop deep understanding of our Security Policies and Audit requirements in order to support assigned Partner teams, GRC Exceptions and Audit efforts (PCI, SOC2, ISO27001, GDPR, State Contract requirements)
• Create Threat Models and Risk Registers for your assigned products and communicate application risks and vulnerabilities to technical stakeholders.
• Lead application vulnerability reviews and remediation efforts. Develop deep skill sets in understanding, managing and determining exploitability of vulnerabilities to properly determine risk and priority.
• Work to gain a deep understanding of your assigned products' architectures, Supply Chain (Vendors, Partners, Third Party) Development Practices, CI / CD, GRC Exceptions, Release cadence in order to understand and support mitigation of security risks.
• Lead efforts to mentor developers through discussions, presentations, or hands on training sessions to demonstrate best practices in developing secure code and securing application infrastructure.
• Ensure all assigned products and applications adhere to the Product Security Framework requirements and work to remediate any gaps.
• Elevate Product Security 25%
• Drive and lead efforts to promote, grow and enhance the Product Security Partners program to develop Security Champions and enable dev teams to shift left.
• Lead development of innovative guidance and training sessions to grow Product Team's Secure Development LifeCycle skills and awareness and cultivate a culture of Product Security
• Coach product teams and junior team members on performing secure reviews of application architectures and document and advertise new security patterns as needed.
• Partner with junior team members and foster their ability to develop threat models and risk assessments to identify application security weakn sses or lack of maturity in development processes and provide coaching on remediation strategies.
• Innovate, stay atop current activities in the industry to support continuous improvement of our Partner Program.
• Operations 25%
• Drive implementing and operationalizing security tooling and common integrated development environments (AWS).
• Drive development of key metrics and KPI's to measure Product Security impact and report on assigned partner teams security posture and maturity of practices.
• Participate in planning and grooming as part of agile ceremonies and manage assigned Epics.
• Provide hands on expertise with CI / CD and build pipelines to further enhance quality and security gates; lead integration of automated solutions to increase security in CI / CD.
• Work with broader ISO team on incident response and operational / strategic initiatives.
• Lead evaluation and improvement of new and existing security standards, tools, and solutions with a focus on automation and securing build pipelines for a shift left approach. About You You Have :
• 5-8 years of progressively responsible, directly related, hands on experience in application security or devsecops
• Strong hands on knowledge of Secure Development practices, Secure Development LifeCycle, DevSecOps, Pen Testing and Threat Modeling
• Solid experience with securing AWS Services, AWS Secure Architectures, Application Security and Cloud Applications, including Software Supply Chain and micro service architecture
• Must have a thorough understanding of web protocols TCP / IP, UDP, HTTP, HTTPS, SSL, TLS, DNS, etc.
• Hands on experience of reproducing and remediating common application vulnerabilities (OWASP / SANS) such as cross-site scripting (XSS), session hijacking, SQL injection, CSRF (Cross-Site Request Forgery), OWASP Top 10, and other attack vectors.
• Solid hands on experience with CI / CD, Nodejs, React, Restful Api's and common development frameworks (Angular, Bootstrap, Node, Struts, Spring, ASP.NET MVC, etc.)
• Experience with key Development tools / systems (Artifact Management, Version Control, Work Tracking, Secrets Management, NPM, Build and Deployment Tools, etc.)
• Experience with RESTful web services and API's
• Ability to travel when required.
• You are authorized to work in the US About Our Process
• Application review will begin immediately and will continue until the position is filled
• While the hiring process may vary, it generally includes : resume and application submission, recruiter phone screen, hiring manager interview, performance exercise such as live coding, a panel interview, a conversation with leadership and reference checks About Our Benefits and Compensation College Board offers a competitive benefits and compensation program that attracts top talent looking to make a difference in education. As a self-sustaining non-profit, we believe in compensating employees equitably in relation to each other, their qualifications, their impact, and the relevant market. The hiring range for a new employee in this position is $144,000 to $157,000. College Board differentiates salaries by location so where you live will narrow the portion of this range in which you can expect a salary. Your salary will be carefully determined based on your location, relevant experience, the external labor To view the full job description please use the link below.

Salary : $144,000 - $157,000