Senior Application Security Engineer
CLEAR makes life easier and more secure by using biometrics – your fingerprints, eyes and face – to confirm that you are you, and keep you moving. Imagine a world where you can do virtually everything you need to – breeze through the airport, buy a beer at the game, check-in at the doctor’s office, access your office building, and more – without ever pulling out your wallet or phone. Now in 45+ airports and other venues nationwide, you are your ID, credit card, ticket, reservation and more with CLEAR.
We’re defining and leading an entirely new industry, moving quickly with data-informed decisions, obsessing over our customers, and investing in great people to lead the way. Recently named on CNBC’s Disruptor 50 List and winner of the SXSW Interactive Innovation Award, we’re working tirelessly to create frictionless customer experiences for our 3+ million members across the country.
We’re looking for an outstanding and passionate Senior Application Security Engineer. In this role, your primary focus will be ensuring, enforcing, and maintaining our high standards of security, specifically with regards to member data.
This role is hands on and technical while requiring a heads-up nature to identify gaps and drive the creative application of state-of-the-art security practices and controls. CLEAR is a fast and nimble company, so the ideal candidate will be able to leverage automation and data analysis to embed continuous security practices into our development and operational workflows. The application security program must be designed to ensure that any software developed or acquired meets these stringent standards while enabling rapid innovation to meet the ever-changing needs. Successful candidates will be security evangelists who can translate security concepts into language that is meaningful to many audiences, including business and technical leaders.
What you will do:
- Work with Software Engineering and DevOps leaders to build CLEAR’s next generation build and deploy (CI/CD) system. Define technical requirements, deploy and manage tooling, build processes to handle application security issues before they are released.
- Partner with the company’s Software Engineering, DevOps, and IT teams to ensure all new and existing software has been fully vetted and remain secure. Perform code review, security risk assessments, manual security testing, automated security testing, threat modeling, and educate developers on security best practices for security issues.
- Lead internal and external penetration tests of CLEAR’s most critical assets, as well as triage issues with internal stakeholders for remediation.
- Establish security standards and specifications to balance the needs of a more secure product offering with the needs of the business. Ensure all internet facing, backend services, data stores, and supporting infrastructure are built and maintained with security in mind.
Who you are:
- 5-8 years of experience in software development and implementing security into organization wide SDLC processes.
- Minimum of 8 years experience (in excess of degree requirements). Minimum 2 years relevant architecture experience with expert level knowledge of application systems design and integration.
- Has excellent interpersonal communication skills and can take very technical issues and make them understandable to all audiences.
- Personal passion for security and cutting edge security concepts.
- Strong understanding of Software Security Architecture and Design, SDLC, CI/CD, and the ability to clearly articulate best practices for application security.
- Experience writing and pentesting web applications and web services.
- Proficient in reading many different programming languages.
- Able to evaluate, deploy, and manage application security tools (e.g. DAST, SAST, RASP, WAF) and build strong vendor relationships.
- Experience with a public cloud based provider (Amazon Web Services, Microsoft Azure, or Google Cloud Compute)
- Demonstrable knowledge of TCP/IP, HTTP, RESTful APIs, application security, and experience supporting service-oriented, asynchronous, and distributed application architectures.
- Previous experience on a Security team, coordinating responses to security incidents and/or writing and presenting application security assessment reports.
- Knowledge of containers and scheduling frameworks (e.g Kubernetes, Docker Swarm, DCOS, ECS).
- Experience integrating security practices into continuous integration tools and pipelines.
- Well-rounded background in host, network, and application security including knowledge of internet security issues and threat landscape
- Candidates must be able to explain all vulnerabilities and weaknesses in the OWASP Top 10, WASC TCv2, and CWE 25 to any audience, and discuss effective defensive techniques.
- Ability to listen for nuances, dig into details in order to understand systems deeply, and articulate technical details and risks to business leaders.
- Familiarity with one or more industry standards and regulations such as PCI, NIST 800-53, FedRAMP and ISO27001.
- Strong programming and scripting experience in C#, C++. Java, Python, BASH, Go, or something similar.
- Participates in CTFs or actively contributes to the security community through exploitation development.
- Bachelor's degree or higher in Computer Science.