Security Engineer, Application Security
Posted on Feb 16, 2020 by Affirm, Inc.
Affirm values information security as a critical part of the company's continued success. Our mission is to make information security programmatic and cultural in Affirm, enabling the company to succeed in building honest financial products. The Security team posture increases security and reduces risk while securely enabling access to information for those who need it.
What You'll Do
Develop application security and product best practices to standardize security practices.
Provide security design review and code reviews to the organization to ensure the product features meet security requirement and best practices.
Review, analyze, and evaluate both internally developed software and vendor products and procedures to address security requirements and concerns.
Serve as subject matter expert for static and dynamic analysis security tools.
Work with DevOps engineers to integrate static and dynamic analysis security tools into CI/CD pipelines.
Interpret security tools findings, 3rd penetration testing results, and bug bounty program submissions.
Provide vulnerability remediation guidance and mentoring to product development software engineers.
Develop company-wide security projects and processes to discover security defects in source code, dependencies, and/or other artifacts.
Develop and improve documentations on security processes and procedures.
Build metrics to track security defects and automate the collection of security information to derive metrics.
Enable automation of product security testing and find innovative ways to scale the security team.
Evaluation of new technologies, tools, and/or development techniques that impact security.
What We Look For
Team player, high work ethics, attention to details is a must.
Ability to communicate effectively with business representatives in explaining security topics clearly and where necessary, in layman's terms.
Experience with Cloud and virtualized technology in environments such as AWS or GCP.
Ability to efficiently communicated security to any audience, such as explaining vulnerabilities and weaknesses in the OWASP Top 10, WASC, and/or CWE 25 and discuss effective defensive techniques and countermeasures to both business and engineering staff.
Deep understanding of network protocols such as HTTP and SSL/TLS.
Familiar with means to defend modern Web applications and APIsFamiliarity with dynamic and static analysis tools and ability to interpret dynamic/static analysis tools, and penetration test results and describe issues and fixes to non-security experts.
Familiarity with common reconnaissance, exploitation, and post-exploitation frameworks.
Deep understanding of continuous integration / continuous deployment processes and tools.
Ability to automate tasks using a scripting language (Python, Shell, etc).
Security certification such as CISSP, OSCP is a plus.
BA/BS degree in a related field or equivalent experience is a Affirm, "People Come First" is a core value and that's why diversity and inclusion are vital to our priorities as an equal opportunity employer. You can learn more about our D & I efforts here.
We also consider qualified applicants with arrest and conviction records for positions in accordance with applicable laws, including the San Francisco Fair Chance Ordinance.