Senior Application Security Engineer

ABOUT WOVEN PLANET GROUPWoven Planet Group (Woven Planet) represents a carefully curated blend of expertise and resources dedicated to bringing the vision of “Mobility to Love, Safety to Live” to life. Through innovations and investments in automated driving, robotics, smart cities, and more, we are transforming how humankind lives, works, and moves. We exist to design, build, and deliver secure, connected, and sustainable mobility solutions that benefit all people worldwide. Founded in 2018 as Toyota Research Institute - Advanced Development (TRI-AD), Woven Planet is composed of four complementary companies: Woven Planet Holdings, Woven Core, Woven Alpha, and Woven Capital.
Visit us to learn more: https://www.woven-planet.global/
TEAMThe security team at Woven Planet is on the cutting edge of many challenging security problems. We identify emerging security threats in autonomous vehicles and help design more secure systems. We work closely with internal platform teams to provide a secure development environment through tooling and automation, allowing developers to innovate quickly without compromising security. 
WHO ARE WE LOOKING FOR?We are looking for an expert Application Security Engineer with a strong background in secure software development to ensure that our software systems are designed and implemented to the highest standards. The scope of the role is broad; you will participate in the secure design of new services and products, vulnerability analysis of applications, work with developers to resolve security issues, and build tools for security automation. You will also help improve our application security program by developing technical standards and processes which allow developers to write secure software.   
The successful candidate will have a good mix of deep technical knowledge and a demonstrated background in information security. We value broad and deep technical knowledge, specifically in the fields of application security for cloud systems, operating systems, cryptography, web applications, and embedded systems.

RESPONSIBILITIES

• Partner with development and operations on designing and building secure applications for critical Woven Planet systems. When gaps are identified, drive issues to resolution by providing in-depth advisories, building tools, or contributing code as necessary. 
• Perform threat modeling and application security assessments for projects across the organizations.
• Improve the application security program by enhancing technical standards and guidelines to foster secure development practices.
• Improve the accessibility and enforceability of security through automation, CI/CD pipelines, and other means.
• Perform static/dynamic security testing for applications developed by Woven Planet to identify vulnerabilities and security defects. 
• Manage the lifecycle of vulnerabilities, from identification to remediation and reporting.
• Mentor software engineers and provide training on security best practices.
• Communicate effectively at multiple levels of sensitivity, and multiple audiences.

MINIMUM QUALIFICATIONS

• 5+ years of relevant, broad engineering experience in information security or software development.
• 3+ years of experience on an Application Security team, especially in providing security requirements, conducting risk assessment, threat modeling, and security code review.
• Good understanding of software, computer, network architectures, and practical cryptography usage.
• Hands-on experience with software development in one or more general-purpose development languages such as Python, Ruby, Go, C/C++, Java,  and JavaScript.
• Understanding of at least one Security Development methodologies (e.g. Microsoft SDL, OWASP OpenSAMM, BSIMM, etc.)
• In-depth knowledge of secure coding principles and common application security vulnerabilities, such as OWASP Top 10 and CWE 25 vulnerabilities.
• Well-versed in large-scale application design, application security testing, and risk management. 
• Ability to effectively present and communicate security threats and risks to any audience and impress upon them the mitigation techniques and strategies.

PREFERRED QUALIFICATIONS

• Good knowledge of security features and mechanisms provided by AWS or GCP. AWS Certified Security or GCP Professional Cloud Security Engineer is a plus.
• Deep knowledge of authentication protocols and frameworks to include OAuth, OpenID, SSO/SAML, and AWS IAM.
• Experience implementing DevSecOps pipelines and converting manual processes into automated processes.
• Success in implementing effective Secure SDLC frameworks across a large corporation.
• Experience in managing application security testing tools like SAST, DAST, and Open Source Vulnerability Scanning. 
• Good understanding of the following technologies and concepts: Microservice Architecture, Docker, Infrastructure as Code, CI/CD pipelines, Kubernetes.
• Familiarity with security and privacy frameworks and regulations (e.g. SOC, PCI-DSS, ISO, GDPR, CCPA)

If you are currently located outside of Japan, don't worry, we'll set an interview over Google Hangout Meet or Skype.