Senior Application Security Engineer

The Role

We are seeking a highly experienced Senior Application Security Engineer to join our Information Security team. This role is pivotal in ensuring the security and integrity of our cloud-based platform and shared solutions within our B2B/E product suite. You'll be responsible for development and implement high-level application security architecture across diverse projects, with a focus on the insurance industry.

As a Senior Application Security Engineer, you will report directly to the Director of Information Security & Privacy, playing a key role in maintaining the overall security posture of the company. You'll be part of a security team that participates in a 24/7/365 Incident Detection/Incident Response (ID/IR) rotation and assists with incident response procedures. Our application environment is a hybrid of Containers, managing most of our production microservices, and a public cloud-driven services layer based on popular open-source components.

We’re looking for a candidate who thrives in a team setting, effectively collaborates with colleagues across various departments, and contributes positively to a dynamic team environment. The ideal individual should be adept at leveraging the strengths of diverse team members, fostering a culture of open communication, and driving joint initiatives towards successful outcomes.

Your day-to-day

1. Join a product security team to develop and implement high-level application security architecture across diverse projects, with a focus on the insurance industry.
2. Collaborate with development and product teams to integrate advanced security solutions by design into business-critical applications.
3. Create and refine application threat models, emphasizing robust security measures tailored to the unique challenges of the insurance sector.
4. Create application security architecture patterns, and product security requirements.
5. Perform security code reviews and application security testing.
6. Provide strategic guidance on application security best practices and oversee the implementation of these practices in software development life cycles.
7. Evaluate and respond to vulnerabilities identified through internal security testing, prioritizing according to business impact.
8. Drive initiatives to enhance security awareness and practices within the application development teams.
9. Work closely with compliance teams to ensure that applications adhere to industry-specific regulations and standards.
10. Document runbooks, best practices, team initiatives using repeatable patterns.

About You

• 8 years of experience in information security, to include 5 years of experience in application security engineering, with a specialization in security architecture,
• Expertise in security-by-design principles and a deep understanding of application security frameworks and standards.
• Experience in working with software development teams, providing security oversight in complex application ecosystems.
• Familiarity with OWASP and relevant standards like ASVS and MASVS.
• Familiarity with the regulatory environment of the insurance industry or a similarly regulated industry and its impact on application security.
• Strong skills in threat modeling, risk assessment, and vulnerability management.
• Proficient in at least one programming language and relevant security tools.
• Excellent communication skills, with the ability to lead security initiatives and train teams on security best practices.

Bonus Points

• Advanced certifications in security architecture (e.g., CSSLP, EC-CASE, GWEB, OSCP, CISSP-ISSAP, SABSA) or related fields.
• Prior experience in a similar role within the insurance industry or other highly-regulated sectors.
• Proficiency in developing and implementing risk assessment models tailored to the insurance industry.
• Experience with cloud-based security solutions and familiarity with cloud service providers, particularly in relation to application security.
• Hands-on experience with "purple team" activities, encompassing both offensive (penetration testing) and defensive (security architecture) methodologies.
• In-depth knowledge of various security frameworks (such as NIST, MITRE ATT&CK) and their application in a business context, especially within the insurance sector.
• Previous career experience as a full stack engineer.
• Demonstrated ability to engage in research and stay abreast of the latest trends and developments in application security and the insurance industry.
• Strong track record in leading security-focused training and workshops, enhancing the security skill set of development teams.
• Practical experience with data protection and privacy regulations relevant to the insurance industry, such as GDPR, HIPAA, or PCI-DSS.
• Experience with cloud security, data privacy, and compliance frameworks relevant to the insurance industry.

Salary: $171,000 to $299,000*

• *Please note that the final salary offered will be determined based on the selected candidate's skills, and experience, as well as the internal salary structure at Quanata. Our aim is to offer a competitive and equitable compensation package that reflects the candidate's expertise and contributions to our organization.

Additional Details:

• Benefits: We provide a wide variety of health, wellness and other benefits.These include medical, dental, vision, life insurance and supplemental income plans for you and your dependents, a Headspace app subscription, monthly wellness allowance and a 401(k) Plan with a company match.
• Work from Home Equipment: Given our virtual environment— in order to set you up for success at home, a one-time payment of $2K will be provided to cover the purchase of in-home office equipment and furniture at your discretion. Also, our teams work with MacBook Pros, which we will deliver to you fully provisioned prior to your first day.
• Paid Time Off: All employees accrue four weeks of PTO in their first year of employment. New parents receive twelve weeks of fully paid parental leave which may be taken within one year after the birth and/or adoption of a child. The twelve weeks is applicable to both birthing and non-birthing parent.
• Personal and Professional Development: We’re committed to investing in and helping our people grow personally and professionally. All employees receive up to $5000 each year for professional learning, continuing education and career development. All team members also receive Udemy subscriptions and access to multiple different coaching opportunities through BetterUp.
• Location: We are a remote-first company for most positions so you may work from anywhere you like in the U.S, excluding U.S. territories. Occasional travel may be required for team meetings or company gatherings. Employees based in the San Francisco Bay Area or in Providence, Rhode Island may commute to one of our local offices as desired.
• Hours: We maintain core meeting hours from 9AM - 3PM Pacific time for collaborating with team members across all time zones.