Application Security Engineer

About the role and about You:

The Zwift InfoSec Team is looking for an Application Security Engineer to help build and grow product security within service and engineering teams in order to address both deeply technical and programmatic security issues, as well as emerging new threats. This individual will lead application security assurance efforts, provide code reviews and tooling, and liaise with development and operations teams across the company to provide security awareness and consultation. The role requires partnering with key project stakeholders to define key security issues, as well as identify, prioritize, and categorize security remediation plans. Application security engineers oversee and influence cross-functional security diligence and integration teams to ensure all relevant security concepts are considered. 

Successful Application Security Engineers at Zwift are self-starters, able to work autonomously, natural problem solvers, collaborative, and not phased by adversity or ambiguity. You should have strong problem-solving skills, excellent communication skills, a deep technical understanding of modern cloud security threats, strong scripting and automation skills, and the desire to be an individual contributor to securing Zwift’s platform and system/services technology.

What you’ll do: 

• Work with application development teams across Zwift to provide guidance on best practices for secure application development across a variety of languages and frameworks.
• Collaborate with application development teams to improve security test coverage and functional security testing.
• Triage incoming bug reports both from the information security team and the security research community and work to prioritize and remediate bugs with affected application and infrastructure teams.
• Advise and consult internal customers on risk assessment, incident triage, threat modeling, and security vulnerability mitigation.
• Mentor developers on evolving threats to their applications and help to insure state of the art secure development practices are being used.
• Perform code reviews of security critical code.

What we’re looking for:

• 2+ years of application security experience designing, building or testing web and API based architectures.
• Understanding of security vulnerabilities, attacker exploit techniques and methods for remediation of such.
• Excellent understanding/working knowledge of the public cloud infrastructure and services in AWS (IAM, KIAM, VPC, KMS, CloudWatch, Systems Manager, S3, RDS, Route53, Lambda, AWS Config, etc.)
• Excellent understanding of docker and container orchestration with kubernetes and experience running production kubernetes clusters in Amazon EKS, Google GKE, or similar managed platform.
• Scripting skills (e.g., Python, Go, JS, C, C++, Java, Ruby, or PowerShell)
• Prior working experience in or with a Software Development Team.

Bonus points: 

• Experience creating or working with bug bounty programs.
• Identify opportunities for process improvement, including the development and implementation of internal security tools, tactics, and procedures.
• Perform both black box and white box security auditing of Zwift applications, networks, and infrastructure.