Job Description
Arc XP (www.arcxp.com )is a cloud-based digital experience platform that helps enterprise companies, retail brands and media and entertainment organizations create and distribute content, drive digital commerce, and deliver powerful multichannel experiences. A division of The Washington Post, Arc XP has powered the digital transformation of customers across the globe, currently serving more than 1,500 sites in 25+ countries that reach more than 1.5 billion unique visitors monthly.
Built 100% on AWS, the Arc platform follows a microservice architecture. All of our software teams use dev ops to deliver and maintain products. Our processes are lightweight, which allows our teams to innovate quickly to bring new ideas to market. New features and products are deployed to our customer base every day.
We are currently looking for a Principal Application Security Engineer who will become a security evangelist, capable of translating security language and requirements into language that is meaningful to many audiences, including business and technical leaders, and individual contributors. You will help us build tools that enable our Arc teams to be more self-sufficient delivering secure and scalable software. We want our secure computing policies and controls to be automated and embedded in the way we work, and you will be responsible for finding ways to make sure the way we build, deploy and operate our SaaS platform adheres to our standards. We have some of the industry’s most talented, technical, and capable engineering teams, so being able to clearly communicate our AppSec vision and gain adherence by influence is a must. You will be part of a small and dedicated team day to day, but you will collaborate and work with all Arc teams to help us realize our security program goals.
Responsibilities
Integrate security tools, standards, policies, controls and processes into the Software Development Lifecycle (SDLC) for all Arc teams
Develop and integrate software and tools to gain insights into secure development practices and compliance
Own security engineering activities such as threat modeling, architecture review, and code review
Develop and set standards for secure development standard documentation and training
Support security incident response and provide expertise in remediation
Set cadence and lead execution of penetration testing services, including preparation of executive summaries for both internal and external parties
Lead security-related services or software vendor evaluation and ensure 3rd party meets Arc’s security standards
Develop and integrate metrics reporting tools to track the state of application security program and performance of development teams against requirements
Review documentation, code, and processes with an eye towards continuous improvement and risk mitigation
Qualifications
Minimum Qualifications
BA/BS in Computer Science or related technical field or equivalent practical experience
5+ years application security experience, working with teams building highly scalable, customer facing applications
Knowledge of application security vulnerabilities in terms of cause, effect, and remediation techniques
Proficiency in at least two programming languages, including at least one dynamic language such as JavaScript or Python
Experience with common software development process tools such as Jira, Git, Maven, Npm, Jenkins, Trello, and Confluence
Experience with common automated security analysis tools such as SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and SCA (Software Composition Analysis)
Familiarity with unit testing frameworks and tools such as Jest, JUnit, Mocha/Chai
Familiar with security engineering best practices and how they fit into agile development processes
Preferred Qualifications
Familiarity with industry standards and regulations such as PCI, GDPR, and ISO27001
Experience supporting tools and processes for secure web applications on AWS and AWS Lambda
Experience with automated deployment tools such as CloudFormation, CDK, and/or Serverless
Experience with end-to-end testing frameworks.
Experience analyzing application and cloud environment security standards.
Exceptional written and oral communication skills
#LI-REMOTE
The Post strives to provide its readers with high-quality, trustworthy news and information while constantly innovating. That mission is best served by a diverse, multi-generational workforce with varied life experiences and perspectives. All cultures and backgrounds are welcomed.
