Lead Information Security Officer
Citi
AWSAzureCloudCyber SecurityGoGoogle Cloud PlatformJavaJavaScriptJenkinsPython
Senior Product Security Engineer
BeyondTrust
full-time
Posted on:
Origin: • 🇺🇸 United States
Visit company websiteJob Level
Senior
Tech Stack
AWSCloudCyber Security
About the role
- Perform hands-on security testing and validation of web applications, APIs, and cloud-native services.
- Conduct in-depth penetration testing, code reviews, and manual validation to supplement automated tooling.
- Lead threat modeling exercises and provide actionable guidance to engineering teams on risk mitigation.
- Identify and triage vulnerabilities, validate fixes, and ensure remediation is effective.
- Manage and coordinate third-party penetration tests, ensuring findings are tracked to closure.
- Provide expertise on web and API security standards (e.g., OWASP Top 10, API Security Top 10).
- Partner with developers and architects to drive secure coding practices and security-by-design principles.
- Leverage security testing tools (SAST, DAST, SCA, IAST) while prioritizing manual validation of high-risk areas.
- Collaborate with DevOps/Platform teams to ensure security controls are embedded in CI/CD pipelines without creating friction.
- Support internal security awareness and champion security best practices across product teams.
Requirements
- 5+ years of progressive experience in Application & Product Security with direct hands-on testing/validation.
- Strong expertise in web application and API security: authentication/authorization, session management, input validation, cryptography, and common attack vectors.
- Proficiency with penetration testing methodologies and tools (Burp Suite, Postman, custom scripts, etc.).
- Strong knowledge of secure coding practices and common vulnerabilities (OWASP Top Ten, API Security Top Ten, CWE).
- Experience with application security testing tools (SAST, DAST, SCA) combined with manual exploit validation.
- Understanding of cloud security best practices (preferably AWS).
- Strong analytical and problem-solving skills; ability to assess risk and drive practical remediation.
- Excellent communication skills with both technical and non-technical stakeholders.
- Ability to thrive in an ambiguous, fast-paced environment and take ownership of deliverables.
- Experience with mobile application security testing. (Nice to have)
- Familiarity with container security and infrastructure-as-code scanning. (Nice to have)
- Professional certifications (OSWE, OSCP, GWAPT, CISSP, CSSLP, or equivalent). (Nice to have)
- Experience working with bug bounty programs or vulnerability disclosure programs. (Nice to have)
- Must be based in North America / Remote within Canada or United States.
