Senior Product Security Engineer
This is a critical role in ensuring the security and compliance of our health and human services (HHS) IT solutions. The successful candidate will work closely with cross-functional teams to assess, implement, and manage security controls, regulatory requirements, and incident response protocols.
Key Responsibilities:
* Define, review, and validate application security requirements with Product Development teams.
* Integrate security features for authentication and authorization using technologies like OIDC, SAML SSO, and JAAS.
* Implement controls to address vulnerabilities, including OWASP Top 10 risks like CSRF, XSS, and XXE.
* Collaborate with development teams to validate security fixes and promote best practices.
* Review codebases for vulnerabilities and assess issues flagged by security scanning tools.
* Serve as a primary responder to security issues identified by the Product Security Response Team (PSRT), coordinating efforts for timely remediation.
* Interpret and communicate PSRT advisory reports to development teams, providing guidance to address identified vulnerabilities.
* Conduct Open Source Software (OSS) vulnerability assessments to maintain secure software dependencies.
* Perform SAST and DAST testing with tools like SonarQube and Burp Suite Pro to proactively identify security risks.
* Configure and manage security scanning tools to meet project needs.
* Conduct internal penetration tests and support external pen testers in assessments of on-premises and Kubernetes-based applications.
* Document, assess, and address security risks and any deviations from security standards.
* Serve as a primary contact for security incidents, handling security-related customer cases and incident responses.
* Coordinate with the CISO team for security sign-offs on product releases.
* Support ISO 27001 and other certification efforts to ensure compliance with industry standards.
Requirements:
* Security Expertise: Deep knowledge of security vulnerabilities, risks, and mitigation techniques, with experience in vulnerability management frameworks such as CVE and CVSS.
* Technical Skills: Proficiency in SAST, DAST, and IAST security scanning tools, vulnerability scanning tools, integrating and managing security tools within CI/CD pipelines, strong skills in Java, JavaScript, XML, and YAML, solid understanding of Kubernetes security, cloud environment configurations, security requirements for deployments on application servers, cryptographic algorithms, risk management knowledge, collaboration and communication skills, problem-solving skills.
MERATIVE offers opportunities to grow and develop new skills with colleagues who have deep expertise in health and technology.