Staff Application Security Engineer

A Little About UsEDB provides a data and AI platform that enables organizations to harness the full power of Postgres for transactional, analytical, and AI workloads across any cloud, anywhere. EDB empowers enterprises to control risk, manage costs and scale efficiently for a data and AI led world. Serving more than 1,500 customers globally and as the leading contributor to the vibrant and fast-growing PostgreSQL community, EDB supports major government organizations, financial services, media and information technology companies. EDB’s data-driven solutions enable customers to modernize legacy systems and break data silos while leveraging enterprise-grade open source technologies. EDB delivers the confidence of up to 99.999% high availability with mission critical capabilities built in such as security, compliance controls, and observability. For more information, visit Description:As an Staff Application Security Engineer at EDB you will report directly to the Director of Information Risk Management as a trusted member of the CISO staff. Your role leads the transformation of the security and development processes within EDB, helping the organization identify, repair and protect against vulnerabilities throughout a secure software development lifecycle (SDLC). You are responsible for understanding multiple security frameworks, translating objectives, partnering with stakeholders and promoting best practices across all EDB products. The ideal candidate must be comfortable working in a global environment that supports flexible work schedules, and a distributed security model. Whether you are looking to expand autonomy in your role, build a new security foundation, or just needing a change of pace this role is for you!What your impact will be:Support the development and implementation of EDB’s application security services to be consumed by product teams and within our global infrastructure.Serve as an expert on application security frameworks and objectives by assisting owners as they define new control activities and seek maturity in their development processesBuild tools, processes and solutions that improve the security of EDB’s products and dataCollaborate with internal engineering stakeholders on addressing systemic security issuesGrow and mature relationships with internal security SMEsin a way that bridges the gap between product teams and information securitySupport Vulnerability Disclosure Program, triage, assess and analyze vulnerability reports submitted through the VDP, prioritizing them based on severity, risk, and exploitability.Coordinate vulnerability remediation, Work with internal development teams to reproduce, validate, and prioritize vulnerabilities. Facilitate timely patch development and deployment, ensuring efficient resolution.Produce application security metrics that demonstrate a continually improving application security posturePartner with InfoSec Program Management on the roadmap and execution of security initiatives.Support and manage EDB’s Vulnerability Disclosure programProficiency with threat modeling frameworks such as STRIDE, DREAD, PASTA, or OCTAVE.Experience with threat modeling tools, especially the process of selecting and implementing a new tool to partner with a new threat modeling process.Experience with Open Source Software (OSS) including familiarity with various open source licenses like MIT, GPL, Apache etc.Experience with implementation of security best practices related to securing the software supply chain, including patch management, vulnerability scanning, package management and tooling.What you will bring:Extensive experience working with developers and driving application security standardsExperience securing CI/CD pipelines enabling strong security controls through the implementation of commercial and custom built toolingConduct application design reviews and support the development of compensating security solutionsDrive the integration of secure development standards, tools, and processes into the development lifecycleExperience in threat modeling frameworks and processesExperience performing code audits on internal and open source librariesExperience with DAST, SAST, SCA as well as manual testing techniquesAbility to demonstrate strategic thinking beyond the specific responsibilities of the roleEffective communication skills with the ability to translate technical concerns into business risk impactsPersonal management of multiple projects, security events and incidents as required for the roleSeek to understand, lead with a collaboration first approachExperience assessing technical footprints found within on-prem and cloud environmentsStrong experience in NIST 800-218 SSDF, BSIMM, Owasp SAMM, or similar frameworksWhat will give you an edge:RedTeam knowledge and experienceExperience performing security code reviewsExperience with IaaS cloud infrastructure, Infrastructure as code, kubernetes container technologies, and software-oriented architectureKnowledge of the MITRE ATT&CK Framework and attack chainsExperience building and operating security tools in Multiple Operating Systems and various languages (C, Go, JavaScript, Python, Ruby, etc)EDB is committed to supporting our employees' overall well being by offering a range of benefits and resources to promote a healthy work-life balance and wellness. We provide access to CuraLinc to aid employees in health and wellness tips and practices, as well as Wellness Fridays extending to December 2024! Check out our career site for more information on perks and benefits and reach out to our Talent Acquisition team for region specific benefits.We know it takes a unique mix of people and skills to help us in our mission to supercharge Postgres, and we understand that not everyone will check every box. We’d love to hear from you and we want you to apply!EDB is proud to be an equal opportunity workplace. We celebrate diversity and are committed to creating an inclusive environment for all employees. EDB was built on a commitment to trust and respect each other and to embrace an array of people and ideas. These values remain at the center of our culture and are key to our company’s integrity.EDB does not seek or accept unsolicited resumes or CVs from recruitment agencies. EDB and its affiliates are not responsible for, and will not pay, any fees, commissions, or any other similar payment related to unsolicited resumes or CVs except as required in a written signed agreement between EDB and the recruitment agency or party requesting payment of a fee.#LI-Remote #BI-Remote