Application Security Engineer

At SimpliSafe, we design, develop, manufacture, and sell our own line of wireless, connected home security systems: home sensors, cameras, and locks. Our technology and service platform secures the homes of millions of Americans without the hassles, long term contracts, or fees of traditional Home Security. Protecting our customers and their families is a tremendous responsibility, so we are doubling our Information Security team to help build, develop, and drive our security program. With each release, we have new and complex problems to unravel.

As an Application Security Engineer, you will partner primarily with our development organization (Product, Firmware, Platform, and DevOps teams) to inspire and guide coders, architects, and QA. You will also work with security vendors to design, implement, and configure automated security controls. Building on our strong security-conscious culture, you will frequently face captivating security challenges, including vulnerability reports (internal and external), and a rapid pace within engineering. This will require you to balance the needs of the business with robust implementations of security controls such as WAF, SAST, DAST within CI/CD, as well as Authentication and Authorization across software and firmware.

Are you excited to collaborate, negotiate, and build consensus across a broader organization centered on security? Can you pinpoint and prioritize architectural improvements? Are you ready to coach members of the Engineering organization on how to leverage security controls and tools to protect the apps/services they own against common weaknesses and unique threats?

Responsibilities:

• Focus on Secure Software Development Lifecycle, blend with and understand our agile-based software development methodologies, prioritizing applications and services based on risk
• Contribute to IOT and embedded security through our Software Architecture Leadership Team and Software Architecture Standard
• Guide Authentication and Authorization improvements across Platform and App teams
• Manage the discovery, analysis, tracking, and remediation of vulnerabilities across multiple intakes. This includes leading Coordinated Vulnerability Disclosure, Penetration Testing and technical Risk Assessment activities (internal and with external partners)
• Implement SAST, DAST, RASP, or IAST, leveraging coverage analysis and shift-left paradigm
• Build security tools and systems to help accelerate remediation of security issues, such as identifying and overcoming “top N” bugs, as well as growing logging capabilities for digital forensics and incident response (SIEM)
• Establish typical “Abuse Stories” and “Mis-use cases” and how they apply within specific projects
• Harden WAF in front of public-facing web applications and assist in the mitigation of other DDOS, brute-force, or credential stuffing vectors
• Teach and share knowledge of application security tools and OWASP Top 10 and/or SANS Top 25, to help all engineers internalize how to make their apps resistant to SQLi, XSS, CSRF, SSRF, etc., for more secure software code and design decisions

About You:

• You love building relationships with teammates across multiple functional business units
• You want to protect people and their data
• Have a curious, investigative mind (able to be “in the weeds”), but you are known for communicating complex ideas simply to technical, non-technical, and executive audiences.
• Solid understanding of information security and computer systems concepts, cryptography, key management, authentication, and authorization, as well as secure networking protocols
• Eager to engage in a role that demands engineering skill, software development lifecycle aptitude and the ability to consistently execute on solutions using agile methodologies
• You practice safe change management almost daily to protect all features and system functions, and orient your pragmatic mindset to sustain business goals
• Willingly navigate ambiguity with humility, understanding, and a growth mindset
• You have several years of experience developing with at least one modern coding language and a terminal emulator, including remediating first and third party vulnerabilities
• IOT or embedded engineering experience, CompTIA Security+, CSSLP, GWEB, GSSP or GWAPT are a plus
• You have a proven track record in an environment that leverages Cloud infrastructure and CI/CD pipelines

We are an equal opportunity employer and value diversity at our company. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.