In this role, the Staff Application Security Engineer will work closely with the security and engineering teams to ensure that security is integrated into the software development lifecycle. They will also be responsible for developing and maintaining SDLC policies and procedures, as well as conducting application security training for engineers.

The ideal candidate will have excellent communication skills, as they will be responsible for working with a variety of teams and individuals across the organization. They should also be highly organized and able to manage multiple tasks and priorities effectively.

What you will be doing at VGS

• Triage and prioritize application security vulnerabilities. Work with Engineering to schedule mitigations.
• Operate all aspects of a private bug bounty program, including tracking of spends and MTTM (mean time to mitigation) of security vulnerabilities.
• Develop internal AppSec review processes.
• Build and conduct secure coding training for all developers.
• Mentor and train security champions throughout Engineering.
• Implement automated, proactive security measures (e.g., SAST/DAST).
• Develop a secure SDLC process and communicate the process to Engineering.
• Collaborate with external-facing security communications teams when possible/feasible (e.g., blog posts, security vulnerability disclosures, etc.).

What we are looking for from you (Requirements)

• At least 3-5 years of direct experience either working on or leading an application security team.
• Experience conducting internal application security reviews.
• Experience with vulnerability disclosure programs.
• Experience with building/measuring metrics and KPIs to track security mitigations.
• Experience with source code repositories, CI/CD pipelines, and associated security tooling (e.g., GitHub, GitLab, etc).
• Experience developing and communicating Secure SDLC processes.
• Experience working with SAST/DAST and related tools (e.g., Synopsys, Veracode, GitLab Secure, GitHub Advanced Security, etc.).
• Experience with threat modeling methodologies (e.g., STRIDE).
• Experience with Java and Python secure coding assessments.

Nice to Haves:

• Experience with cloud-native pre-IPO startup companies.
• Experience with AWS security services and tooling.

About you:

• Able to succeed in a remote, globally-distributed work environment.
• Highly organized, and able to triage and prioritize numerous issues and projects.

Performance indicators:

• Mean time to mitigation for security vulnerabilities
• Internal application security reviews conducted
• Reduction in similar classes of security vulnerabilities over time

What’s unique about VGS

• We’re a quickly scaling company with a startup mindset.
• We love to empower our people to take ownership! You’ll find you are given the freedom and will own the responsibility to be successful here.
• We’re creating a remote-first philosophy. You’ll have a strong impact on a new cultural shift within the company.

What you get from us

• Flexible work hours and flexible PTO
• Competitive health benefits
• VGS stock options
• 401k plan, with employer matching 4% and immediate vesting of employer match (available only for US employees)
• Life & disability insurance
• Pre-tax flexible spending accounts, dependent and healthcare FSA (available only for US employees)
• Global parental leave program
• Employee Assistance Program
• Home Internet reimbursement
• New hire home office set up allowance
• Professional learning reimbursement

The typical base pay range for this role across the U.S. is USD $165,000 - $180,000 per year. The successful candidate’s starting pay will be determined based on job-related skills, experience, qualifications, work location, and market conditions.