The Senior Application Security Engineer executes information security operations activities related to deploying, monitoring, analyzing, improving and troubleshooting a Secure Systems Development Life Cycle (S-SDLC). Supports the implementation of appropriate application and information security procedures and products. Performs the evaluation, development, implementation and operational aspects of security standards, procedures and guidelines for multiple platforms and diverse systems environments.
Perform threat modeling, design reviews and code reviews of new Web, API’s and Mobile Applications
Manage remediation of any findings from internal or external assessments
Integrate security tools (e.g., DAST, SAST, SCA, etc.) in the delivery pipeline and the S-SDLC process
Assist in the review, monitoring and/or auditing of applicable daily Security Log Activity and Events. Take action as necessary
Perform secure software design in collaboration with stakeholders
Monitor and Maintain Application Security training and related awareness campaigns: Drive the Security & Privacy Awareness Program for Application Development
Support our compliance programs (such as PCI) by helping implement and document controls, examining evidence for compliance to standards and perform recurring pen-tests of applications in scope
The duties and responsibilities described above may provide only a partial description of this position. This is not an exhaustive list of all aspects of the job. Other duties and responsibilities not outlined in this document may be added as necessary or desirable, with or without notice.
Knowledge, Skills and Abilities:
Ability to work in a fast paced, rapidly changing environment and a strong desire to learn
Deep knowledge of OWASP Top 10 (2013 and/or 2017 Version) vulnerability detection and mitigation
Ability to present information
Ability to train and mentor junior staff and developers
Understanding of software development life cycle methodologies and concepts
Understanding of the git version control system
Linux and Windows system administration
Ability to tune Web Application Firewalls (WAFs)
Strong knowledge of authentication and authorization concepts (e.g. OAuth2, OIDC, SAML, Secure Token Management)
Strong knowledge of security vulnerabilities and must exhibit the ability to exploit them
Strong knowledge of web based security concepts (CORS, cookie security, SRI, CSP)
Knowledge of common scripting and application development languages (e.g. PowerShell, C#, .NET, Java, Golang, Python, T-SQL etc.) and/or the ability to learn is required
Demonstrate an understanding of key IT operational policies, processes and methodologies applicable to governance, risk management and compliance
Understanding of PCI-DSS and EU GDPR
Knowledge researching, analyzing and recommending information security solutions
Knowledge of, experience in Key Management Administration for encryption keys and secrets
A working knowledge of information security practices and concepts including intrusion detection/ prevention, access controls, risk analysis, vulnerability scanning, and data encryption
High degree of accuracy and attention to detail
Excellent organization skills and ability to multitask
Strong knowledge of information systems and networking is required, at least on a conceptual level
Experience with various tooling in the Application Security space
Experience identifying, assessing, and remediating technical security vulnerabilities
Strong organizational, excellent written, verbal and interpersonal communication skills are needed to work effectively with a wide variety of staff, outside consultants and vendors
Generally, requires (5) plus years experience specifically with application, offensive and network security. Experience in software development a plus.
Bachelor’s Degree or higher in Information Technology, Information Security, Computer Science, or a related field strongly preferred. A demonstrable strong experience may be considered as a replacement for a college degree. Advanced industry certification strongly desired, e.g. SANS GIAC (CEH - Certified Ethical Hacker or GXPN - Exploit Researcher and Advanced Penetration Tester, are preferred), Offensive Security Certified Professional (OSCP), CompTIA Security+, CISSP preferred.
Judgment/Reasoning Ability: Able to identify, troubleshoot and resolve problems quickly using sound judgment, poise and diplomacy. Ability to use judgment and reasoning skills, and determine when to escalate issues, as required, in a timely manner.
Physical Demands: The physical demands described here are representative of those that must be met by a Team Member to successfully perform the essential functions of this job. While performing the duties of this job, the Team Member is regularly required to talk and hear. The Team Member is frequently required to sit, walk, climb stairs, use hands and fingers, bend, stoop and reach with hands and arms. Reaching above shoulder heights, below the waist or lifting as required to file documents or store materials throughout the work day. The Team Member may occasionally lift or move office products and supplies up to 25 pounds. Proper lifting techniques required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.
The noise in the work environment is usually moderate. Other factors are:
Hectic, fast-paced with multi-level distractions
Professional, yet casual work environment
Office / Warehouse environment
Ability to work extended hours as required
Job Description Acknowledgement:
I have received a copy of my job description for my current position. The job description describes duties and responsibilities which apply to me. I agree to read the job description and understand it may be amended as company conditions or requirements necessitate. In that case, changes will be communicated to me.
Team Member Name (PRINT): ________________________________
Team Member Signature: __________________________________
Human Resources (PRINT): _________________________________
Human Resources Signature: ______________________________
iHerb is a leading global e-commerce retailer with an emphasis on providing an exceptional selection of nutritional and wellness products for the past 25 years. With over 30,000 products shipped to over 180 countries, we provide the best overall value for natural products through an innovative and efficient supply chain process.
Our teams have a strong sense of commitment and pride in their work, which has allowed us to grow, even during the recent pandemic. At iHerb, our purpose is to empower people to enhance their health, happiness, and well-being — that starts with valuing our team members by providing a positive work environment with competitive benefits. Our five shared values unite our team members across the globe and provide a stable foundation. These values speak to who we are, the culture we’re building, and how every single team member contributes to our larger company vision.
iHerb's Shared Values
Focus on the Customer · Empower Our People · Be Entrepreneurial & Pivot Quickly · Embrace Diversity & Inclusion · Strive for Simplicity
At iHerb, we are dedicated to offering programs designed to help our employees and their families stay healthy, live well and plan for the financial future. Built on a strong foundation, our programs provide options and upgrades with flexibility, protection, and security in mind. Below is a snapshot of the benefits we offer our team members. For a more comprehensive listing, visit www.iHerbBenefits.com.
- Medical Care: Starting in 2021, iHerb covers 100% of the associated cost for medical benefits
- Dental and Vision benefits
- Safe Harbor 401(k) + company match (100% of the first 6% of the employee’s contribution)
- Company-paid Term Life Insurance
- Short and Long Term Disability
- Flexible Spending Account (for qualifying expenses)
- Pet Insurance
- Voluntary Supplemental Benefits
- Education Reimbursement Programs
- Professional Development and Job Training
- Wellness Programs with opportunity to earn up to $300 per year
We strive for innovation, targeted at delivering a customer-centric experience while transforming the online shopping experience. We change direction and define ourselves in the idea that individually we are incredible but united our growth is infinite and paramount to our success. iHerb strives to be the global industry leader!
iHerb is an Equal Opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability or veteran status. iHerb provides equal employment opportunities to all applicants for employment and prohibits discrimination and harassment.