Responsibilities

We are looking for a Sr. Security Engineer. If you’re looking for a real challenge in terms of mission criticality, multi-geographic region deployments, diversity of managed services, and the chance to be a part of an impactful team working with cutting edge cloud technologies and more, then this might be the position for you!

As a Sr. Security Engineer, you will be responsible for:

• Drive security into design and development by performing application security reviews, architecture and design reviews, and threat modeling, including code reviews for new and existing Workato products

• Assess risks to our customers across a wide range of product and technology areas, including backend infrastructure, key management, third-party integrations, authentication, and privacy. 

• Work with Engineering and Product Management to ensure the product’s security is prioritized appropriately against business, operational, and usability requirements.

• Partner and collaborate with development teams to support application vulnerability remediation efforts

• Monitor our exposure to, and assess the impact of new security threats, vulnerabilities and risks

• Support Workato’s bug bounty program

• Research new security trends and continually improve our internal processes, procedures, and tools, implementing new approaches to address the changing threat landscape within our SDLC and Runtime environments

• Promote security awareness by developing and delivering security training

• Coordinate external penetration tests and other offensive testing as needed

• Facilitate Red Teaming exercises to assess organizations’ response capabilities and security measures

• Obtain deep knowledge of Workato’s products and how they operate to facilitate stronger collaboration with internal teams

• Mentor others as you gain knowledge and experience

• Participate in SIRT on-call rotations

Requirements

Qualifications / Experience / Technical Skills

• 5+ years of relevant work experience in application security

• 3+ years experience as a software developer with at least one of Ruby, Golang, or equivalent

• Strong Threat Modeling experience on enterprise Saas solutions using common frameworks such as STRIDE or PASTA

• Bachelor’s or Master’s degree in computer science or equivalent experience

• Strong software development skills in languages such as Ruby, Go, Java, or Python

• Strong understanding of Web-related technologies (e.g. HTTP, SOAP, REST, TCP / IP, Message Queuing)

• Comprehension of encryption technologies (e.g. TLS, HMAC, RSA, AES, PKI)

• Knowledge of identity and access management solutions (e.g. SAML, OIDC, JWT, and SSO)

• Knowledge of OAuth 2, client-server authentication, server-server authentication

• Excellent ability to discover and demonstrate flaws such as SQL injection, XSS, and CSRF

• Experience with implementing and using SAST, DAST or IAST tools 

• Experience with AWS security solutions, WAF, IDS, vulnerability scanners, etc.

• Experience and knowledge of penetration testing techniques, application security vulnerabilities, OWASP Top 10, SANS 25, CWE, etc

• Experience advising and leading product teams on how to address a broad set of security and privacy challenges

• At least 1 information security professional certification (e.g. CLSSP, CISSP, CISA, GSSP, GSEC, etc.)

Soft Skills / Personal Characteristics

• Outstanding interpersonal and communication skills; ability to communicate information successfully internally and externally and to drive multi-functional alignment and action

• Code samples, papers, presentations, vulnerability disclosure reports (or anything else that demonstrates your competence)