Principal Security Engineer

Forbes Advisor is a new initiative for consumers under the Forbes Marketplace umbrella that provides journalist- and expert-written insights, news and reviews on all things personal finance.

We are an experienced team of industry experts dedicated to helping readers make smart decisions and choose the right products with ease. Marketplace boasts decades of experience across dozens of geographies and teams. The team brings rich industry knowledge to Marketplace's global coverage of consumer credit, debt, health, home improvement, banking, investing, credit cards, small business, education, insurance, loans, real estate and travel.

Job Description

We are looking for a Principal Security Engineer to join our organization. The ideal candidate will have strong hands-on experience in ensuring robust security controls across both applications and organizational data. This candidate is expected to work closely with multiple stakeholders to architect, implement, and monitor effective safeguards. The ideal candidate will champion secure design, conduct risk assessments, drive vulnerability management, and promote data protection best practices for the organization

Responsibilities

• Design and implement security measures for website and API applications.
• Conduct security-first code reviews, vulnerability assessments, and posture audits for business-critical applications.
• Conduct security testing activities like SAST & DAST by integrating them within the project's CI/CD pipelines and development workflows.
• Manage all penetration testing activities including working with external vendors for security certification of business-critical applications.
• Develop and manage data protection policies and RBAC controls for sensitive organizational data like PII, revenue, secrets, etc.
• Oversee encryption, key management, and secure data storage solutions.
• Monitor threats and responds to incidents involving application and data breaches.
• Collaborate with engineering, data, product and compliance teams to achieve security-by-design principles.
• Ensure compliance with regulatory standards (GDPR, HIPAA, etc.) and internal organizational policies.
• Automate recurrent security tasks using scripts and security tools.
• Maintain documentation around data flows, application architectures, and security controls.

Requirements

• 10+ years' experience in application security and/or data security engineering.
• Strong understanding of security concepts including zero trust architecture, threat modeling, security frameworks (like SOC 2, ISO 27001), and best practices in corporate security environments.
• Strong knowledge of modern web/mobile application architectures and common vulnerabilities (like OWASP Top 10, etc.)
• Proficiency in secure coding practices and code reviews for major programming languages including Java, .NET, Python, JavaScript, Typescript, React, etc.
• Hands-on experience in at-least two Software tooling in areas of vulnerability scanning and static/dynamic analysis. Software tooling can include  Checkmarx, Veracode, SonarQube, Burp Suite, AppScan, etc.
• Advanced understanding of data encryption, key management, and secure storage (SQL, NoSQL, Cloud) and secure transfer mechanisms.
• Working experience in Cloud Environments like AWS & GCP and familiarity with the recommended security best practices.
• Familiarity with regulatory frameworks such as GDPR, HIPAA, PCI DSS and the controls needed to implement them.
• Experience integrating security into DevOps/CI/CD processes.
• Hands-on Experience with automation in any of the scripting languages (Python, Bash, etc.)
• Ability to conduct incident response and forensic investigations related to application/data breaches.
• Excellent communication and documentation skills.

Good To have :

• Cloud Security certifications in either one of the below
  • AWS Certified Security – Specialty
  • GCP Professional Cloud Security
• Experience with container security (Docker, Kubernetes) and cloud security tools (AWS, Azure, GCP).
• Experience in safeguard data storage solutions like GCP GCS, BigQuery, etc.
• Hands-on work with any SIEM/SOC platforms for monitoring and alerting.
• Knowledge of data loss prevention (DLP) solutions and IAM (identity and access management) systems.

Perks:

• Day off on the 3rd Friday of every month (one long weekend each month)

• Monthly Wellness Reimbursement Program to promote health well-being

• Monthly Office Commutation Reimbursement Program

• Paid paternity and maternity leaves

• Bachelor's or Master's degree in Computer Science, Engineering, or a related field.