Senior Security Engineer, Applications

Who Are We?
Postman is the world's leading API platform, used by more than 40 million developers and 500,000 organizations, including 98% of the Fortune 500. Postman is helping developers and professionals across the globe build the API-first world by simplifying each step of the API lifecycle and streamlining collaboration—enabling users to create better APIs, faster.

The company is headquartered in San Francisco and has offices in Boston, New York, and Bangalore - where Postman was founded. Postman is privately held, with funding from Battery Ventures, BOND, Coatue, CRV, Insight Partners, and Nexus Venture Partners. Learn more at or connect with Postman on X via @getpostman.

P.S: We highly recommend reading The "API-First World" graphic novel to understand the bigger picture and our vision at Postman.

Description
Postman is looking for experienced Security Researchers and Security Engineers to join our Security Engineering and Architecture team. You will be responsible for maintaining and improving the security of the services provided by Postman.

What You Get To Do Every Day

• Mentor junior Security Engineers and Security Champions on security best practices and techniques.
• Improve our security tooling and processes.
• Conduct security talks and training sessions.
• Identify critical flaws and weaknesses in our web applications, services and our cloud infrastructure then design and implement strategic solutions to remediate them.
• Write and review technical proposals, architectural diagrams, application code and IaC.
• Use automated and manual testing techniques to gain a better understanding of the environment and reduce false negatives.
• Reduce manual security review efforts by improving our tooling and processes.
• Improve the scope of our assessments by adding new techniques and new categories of vulnerability assessments.
• Consolidate and track vulnerabilities across our organisation and our supply chain to assist in identifying areas to focus our security uplift efforts.
• Review and define requirements for developing and deploying secure products; create guidelines and standards to meet these requirements.
• Work closely with the team to build systems that protect against and eradicate entire classes of vulnerabilities.

What You Bring To The Role

• Experience working as a Senior Security Engineer with deep involvement in securing modern web applications and APIs.
• Experience conducting threat modelling, security reviews and risk assessments.
• Solid project management experience leading initiatives that have measurably improved the security of organisations.
• Proficient in one or more high-level programming languages.
• Proficient with common developer tools and processes such as Github, CI/CD, containers and orchestration, IaaS/PaaS, APIs, Websockets, Databases, Front-End and Back-End systems.
• Experience securing Data to meet various privacy framework and regulation requirements.
• Deep understanding and experience in securing AWS environments.
• Experience in deploying AppSec tools (e.g., SAST, SCA, WAF etc) throughout the stages of the SDLC to ensure the most relevant vulnerabilities are surfaced and false positives are kept to a minimum.
• Understanding of web security mechanisms (such as SOP, CORS, CSP, Subresource Integrity, and same-site cookies).
• Strong understanding of various authentication/authorization protocols e.g. OAuth, SAML and JWT.

What Else?
In addition to Postman's pay-on-performance philosophy, and a flexible schedule working with a fun, collaborative team, Postman offers a comprehensive set of benefits, including full medical coverage, flexible PTO, wellness reimbursement, and a monthly lunch stipend. Along with that, our wellness programs will help you stay in the best of your physical and mental health. Our frequent and fascinating team-building events will keep you connected, while our donation-matching program can support the causes you care about. We're building a long-term company with an inclusive culture where everyone can be the best version of themselves.

At Postman, we embrace a hybrid work model. For all roles based out of San Francisco Bay Area, Boston, Bangalore, Hyderabad, and New York, employees are expected to come into the office 3-days a week. We were thoughtful in our approach which is based on balancing flexibility and collaboration and grounded in feedback from our workforce, leadership team, and peers. The benefits of our hybrid office model will be shared knowledge, brainstorming sessions, communication, and building trust in-person that cannot be replicated via zoom.

Our Values
At Postman, we create with the same curiosity that we see in our users. We value transparency and honest communication about not only successes, but also failures. In our work, we focus on specific goals that add up to a larger vision. Our inclusive work culture ensures that everyone is valued equally as important pieces of our final product. We are dedicated to delivering the best products we can.

Equal opportunity
Postman is an Equal Employment Opportunity and Affirmative Action Employer. Qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender perception or identity, national origin, age, marital status, protected veteran status, or disability status. Headhunters and recruitment agencies may not submit resumes/CVs through this website or directly to managers. Postman does not accept unsolicited headhunter and agency resumes. Postman will not pay fees to any third-party agency or company that does not have a signed agreement with Postman.