Lead Product Security Engineer

Snapdocs is a rapidly growing company backed by investors like Sequoia, Y Combinator, F-Prime and Tiger Global. We're an innovative team taking on the extensive mortgage market, bringing scalable and sophisticated software to a pillar of the US economy that still relies on fax machines and manila envelopes.

We are now looking for a Product Security Lead who will be responsible for leading the community of Security Champions embedded in our software development teams and representing security in software architecture discussions.

Reporting directly to the Head of Product Security you will organize threat modeling activities and security requirements gathering practices at Snapdocs. Using a DevSecOps model, the Product Security Engineer partners with embedded Security Champions to review architectures and to remediate security testing findings across the S-SDLC. The Product Security security department owns all security tools, IAST, DAST, SAST, and tracks finding remediation by Engineering using an Application Security Posture Management platform. The Staff Product Security Engineer reviews product requirements and performs risk assessments on planned application changes. This role requires a highly collaborative approach paired with excellent communication skills to balance trade-offs, push back, and perform negotiation to get things done. This is where you come in...

Over the past years, you have developed a broad range of security-related skills, gained exposure to diverse application security frameworks, web application vulnerabilities, software security architecture, security threat modeling, software security testing tools, and methodologies while preferably have SaaS product security experience. You come from a software engineering educational background or have relevant experience. Extensive experience with Ruby on Rails is preferred. A strong background in cybersecurity and have done SANS training, or have certifications such as AWS Certified Security Specialist, CSSP, GWAPT, GPEN, GSEC. You keep up to date with web application security concepts (OWASP top 10 for example), have a working knowledge of securing containerized, serverless environments. You have 5+ years of web application security experience -- you have spent time participating in bug bounty, ethical hacking, or contributing to other security related research activities. You are highly collaborative to bridge the gaps between Engineering, Product, Security and the rest of the business to create a secure and stable network. You can balance between builder & breaker. Curiosity, patience, proactiveness & a learner's mindset are at the core of your approach to reducing the threat landscape.

Snapdocs strongly values diversity and drive. We want to work with people of different backgrounds and different paths in life, and we trust our team to make smart decisions. This means we value independent work as well as collaboration. We provide outstanding benefits (listed below) and while we have hubs in both San Francisco and Denver, we're an extremely remote-friendly company with over a third of our staff outside of those two hubs!

Our benefits include (but are not limited to):

• Excellent health, dental, and vision benefits
• 401(k) with up to 4% company match
• 16 weeks paid parental leave (regardless of gender)
• Flexible time off policy
• Flexible spending account for healthcare and dependent care
• Galileo, Modern Health, Urban Sitter, and Northstar Financial memberships
• Life and disability insurance
• Commuter benefits
• 10 year exercise window on your equity (!!)

Snapdocs is proud to be an equal opportunity workplace. We are committed to equal employment opportunity regardless of race, color, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, disability, gender identity, or Veteran status. If you have a disability or special need that requires accommodation, please let us know.

California residents applying for positions at Snapdocs are subject to our candidate privacy policy.