Staff Application Security Engineer
Very Good Security
Very Good Security (“VGS”) makes it easy for customers to collect, protect and share sensitive financial data in a way that accelerates revenue, eliminates risk, ensures compliance, and drives profitability. We are on a mission to protect the world’s payment information and are seeking global talent to support our portfolio of payment security solutions including VGS Vault, PCI Compliance as a Service (PCIaaS), Payment Optimization. and Card Issuance Products.
VGS delivers a modern solution to collect, protect, and exchange sensitive data that spans from data privacy to payment acceptance and card issuance; providing businesses with tokenization, PCI compliance, data security, processor optionality, and the ability to operate on that data without compromising their security posture. VGS delivers a modern payments security solution that gives businesses ownership and control over critically valuable customer data, granting them maximum portability, operationally and value extraction to seamlessly drive expansion, and quickly build new financial products.
In this role, the Staff Application Security Engineer will work closely with the security and engineering teams to ensure that security is integrated into the software development lifecycle. They will also be responsible for developing and maintaining SDLC policies and procedures, as well as conducting application security training for engineers.
The ideal candidate will have excellent communication skills, as they will be responsible for working with a variety of teams and individuals across the organization. They should also be highly organized and able to manage multiple tasks and priorities effectively.
What you will be doing at VGS
- Triage and prioritize application security vulnerabilities. Work with Engineering to schedule mitigations.
- Operate all aspects of a private bug bounty program, including tracking of spends and MTTM (mean time to mitigation) of security vulnerabilities.
- Develop internal AppSec review processes.
- Build and conduct secure coding training for all developers.
- Mentor and train security champions throughout Engineering.
- Implement automated, proactive security measures (e.g., SAST/DAST).
- Develop a secure SDLC process and communicate the process to Engineering.
- Collaborate with external-facing security communications teams when possible/feasible (e.g., blog posts, security vulnerability disclosures, etc.).
What we are looking for from you (Requirements)
- At least 3-5 years of direct experience either working on or leading an application security team.
- Experience conducting internal application security reviews.
- Experience with vulnerability disclosure programs.
- Experience with building/measuring metrics and KPIs to track security mitigations.
- Experience with source code repositories, CI/CD pipelines, and associated security tooling (e.g., GitHub, GitLab, etc).
- Experience developing and communicating Secure SDLC processes.
- Experience working with SAST/DAST and related tools (e.g., Synopsys, Veracode, GitLab Secure, GitHub Advanced Security, etc.).
- Experience with threat modeling methodologies (e.g., STRIDE).
- Experience with Java and Python secure coding assessments.
Nice to Haves:
- Experience with cloud-native pre-IPO startup companies.
- Experience with AWS security services and tooling.
- Able to succeed in a remote, globally-distributed work environment.
- Highly organized, and able to triage and prioritize numerous issues and projects.
- Mean time to mitigation for security vulnerabilities
- Internal application security reviews conducted
- Reduction in similar classes of security vulnerabilities over time
What’s unique about VGS
- We’re a quickly scaling company with a startup mindset.
- We love to empower our people to take ownership! You’ll find you are given the freedom and will own the responsibility to be successful here.
- We’re creating a remote-first philosophy. You’ll have a strong impact on a new cultural shift within the company.
What you get from us
- Flexible work hours and flexible PTO
- Competitive health benefits
- VGS stock options
- 401k plan, with employer matching 4% and immediate vesting of employer match (available only for US employees)
- Life & disability insurance
- Pre-tax flexible spending accounts, dependent and healthcare FSA (available only for US employees)
- Global parental leave program
- Employee Assistance Program
- Home Internet reimbursement
- New hire home office set up allowance
- Professional learning reimbursement
The typical base pay range for this role across the U.S. is USD $165,000 - $180,000 per year. The successful candidate’s starting pay will be determined based on job-related skills, experience, qualifications, work location, and market conditions.
At Very Good Security, we have a remote first philosophy. We are actively hiring for fully remote positions, so you can work from the comfort of your own workspace!
At Very Good Security we value great talent. Striving to provide the best experience for our candidates VGS appreciates your candidacy. We consider applicants without regards to race, color, national origin, sex, age, religion, sexual orientation, gender identity, veteran status, marital status, physical or mental disability, or other protected classes under all local, state, and federal laws and ordinances (AA/EOE/W/M/Vet/Disabled). Qualified applicants with arrest and conviction records will be considered for the position in accordance with the San Francisco Fair Chance Ordinance.