Product Security Engineer

Learfield is looking for a hands-on Product Security Engineer to further Learfield’s product security initiatives. You will have a broad mandate and are expected to help drive change throughout the company. As a Product Security Engineer, you will have the opportunity to work cross-functionally with teams across Learfield, including DevOps, Product Engineering, and Legal teams. 

Key Responsibilities

• Ensure that adequate security and privacy requirements are in place and are consistent with Learfield's policies, such as
  • Strong and secure Authentication and Authorization
  • Constant testing/verification of Application/Product Security as part of DevOps processes (Microsoft Azure DevOps, Gitlab/Bitbucket)
• Ensure that security and privacy-related issues and incidents are promptly and properly addressed such as
  • Application encryption for data/application transport as well as data storage
  • Relevant application logging: collected, retained and reviewed
• Perform security assessments, identify gaps in existing security architecture, and recommend changes or improvements.
• Direct and guide product security initiatives in collaboration with software engineering and product management teams
• Lead initiatives & programs to continually grow our secure software development practices
• Continue to define and iterate on the Security Program & Architecture Strategy to secure Learfield’s products, data, and infrastructure
• Effectively communicate security risk to senior leadership and collaborate with Dev and IT teams towards a “paved path” for Information Security and Privacy.

Qualifications

• B. S. or M.S. Computer Science or related field, or equivalent experience.
• Familiarity with native programming languages, development practices, and common bug patterns (C, C++, Java, JavaScript, NodeJS, Visual Studio, Python, PHP(LAMP/WAMP), etc.).
• Familiarity with native analysis tooling and frameworks (fuzzing, static analysis, etc.).
• Familiarity with some common security libraries and tools (e.g. SAST/DAST tools, pen testing tools such as Burp, Mend (Whitesource), Snyk, Gitlab, Parrot, Kali, Fiddler, Havij, Netcat, etc.).
• Able to work well with software development teams, identify security issues through code review, and ability to explain common security flaws and ways to address them (OWASP ASVS, SCVS).
• Strong understanding and experience in Secure SDLC.
• Knowledge of common application vulnerabilities, (e.g.: XSS, CSRF, SQL injection, cookie/header/encoding manipulation, input/output validation, session replay).
• Ability to write proof-of-concept exploits is a big plus.