Senior Application Security Engineer

The Zwift Application Security Team is looking for a Senior Application Security Engineer to help build and grow product security within service and engineering teams in order to address both deeply technical and programmatic security issues, as well as emerging new threats. This individual will lead application security assurance efforts, provide code reviews and tooling, and liaise with development and operations teams across the company to provide security awareness and consultation. The role requires partnering with key project stakeholders to define key security issues, as well as identify, prioritize, and categorize security remediation plans. Senior Application Security Engineers coordinate and influence cross-functional engineering and integration teams to provide security in the software development lifecycle. 

Successful Senior Application Security Engineers at Zwift are self-starters, able to work autonomously, natural problem solvers, collaborative, and not phased by adversity or ambiguity. You should have strong problem-solving skills, excellent interpersonal skills, a deep technical understanding of modern web application, client/server application, and containerization based security threats, strong scripting and automation skills, and the desire to be an individual contributor to securing Zwift’s services and products.

What you’ll do: 

• Work with application development teams across Zwift to provide guidance on standard methodologies for secure application development across a variety of languages and frameworks.
• Collaborate with application development teams to improve security test coverage and functional security testing at all levels of the development life cycle.
• Provide developer awareness training and supporting documentation to proliferate the methodologies of secure software development.
• Develop and maintain the bug bounty and public vulnerability submission process.  
• Triage incoming bug reports both from the information security team and the security research community and work to prioritize and remediate bugs with affected application and infrastructure teams.
• Manage tooling and process for continuous application risk assessment, triage, curation, and reporting.
• Advise and consult internal engineering teams on risk assessment, incident triage, threat modeling, and security vulnerability mitigation.
• Mentor developers on evolving threats to their applications and help to insure state of the art secure development practices are being used.
• Develop and maintain a regular code review process for software development teams.

What we’re looking for:

• 5+ years of application security experience designing, building or testing web and API based architectures.
• Deep understanding of security vulnerabilities, attacker exploit techniques, common objectives, and tactics affecting public web applications.
• Excellent working knowledge of the public cloud infrastructure and services in AWS (IAM, KIAM, VPC, KMS, CloudWatch, Systems Manager, S3, RDS, Route53, Lambda, AWS Config, etc.)
• Excellent understanding of docker and container orchestration with kubernetes and experience running production kubernetes clusters in Amazon EKS, Google GKE, or similar managed platform.
• Scripting skills (e.g., Python, Go, JS, C, C++, Java, Ruby, or PowerShell)

Bonus points: 

• Prior working experience in or with a Software Development Team.

• Experience crafting or working with bug bounty programs.

• Identify opportunities for process improvement, including the development and implementation of internal security tools, tactics, and procedures.
• Prior security auditing of Zwift applications, networks, and infrastructure.