Senior Application Security Engineer

California, Missouri
Thumbtack
About the Security Team

At Thumbtack, application security engineers support the building of products and systems that directly impact our customers and professionals to ensure that we are deploying as secure a product as possible. We believe in tackling these hard problems together as a team, with strong values around collaboration, ownership, and transparency. To read more about the hard problems that our engineering team is taking on, visit our engineering blog .

Challenge

The security landscape continually evolves, requiring proactive measures and deep understanding of emerging threats. Integrating security into the DevOps process necessitates sustained collaboration with development teams. The ideal candidate is experienced in cloud security, Linux, scripting, modern programming, web development, and proficient in mitigating common web application security vulnerabilities.

Responsibilities

• Design, implement and maintain security-oriented software that makes it easier for non-security engineers to build secure products
• Collaborate with many teams and functions across Thumbtack to make technical, design, strategy, and product decisions relating to security
• Act as an internal security subject matter expert, advocating for better security practices throughout the company
• Perform security design reviews and threat modeling on-demand and as needed
• Participate in security incident response
• Grow your career in an engaged and innovative engineering community that ships transformative products and services
• Help evaluate the adoption of open source software and 3rd party integration from a security standpoint

What you’ll need

If you don’t think you meet all of the criteria below but still are interested in the job, please apply. Nobody checks every box, and we’re looking for someone excited to join the team.

• 5+ years experience leading complex, technical, XFN projects (Data Platform or Infrastructure a plus)
• Experience and understanding of application and infrastructure security standards and best practices
• Experience in security hardening in a public cloud environment (AWS, GCP)
• Experience and proven ability in delivering secure products and services in a cloud environment
• Ability to think strategically at the program level, dive in and be hands-on in day-to-day action
• Experience in secure design and authoring security tools and libraries

Bonus points if you have

• Experience with conducting a penetration test, deploying static and dynamic code analyzers, orchestrating threat modeling and rapid risk assessments
• Hold an Offensive Security Certified Professional (OSCP) certification
• Familiarity with security frameworks such as OWASP (including Mobile) NIST CSF, NIST SP 800-x, COBIT, ISO-27001, PCI DSS
• Working experience with NIST Common Vulnerability Scoring System (CVSS) and Threat Modeling Framework such as STRIDE or PASTA

For candidates living in San Francisco / Bay Area, New York City, or Seattle metros, the expected salary range for the role is currently $180,000 – $250,000. Actual offered salaries will vary and will be based on various factors, such as calibrated job level, qualifications, skills, competencies, and proficiency for the role.

For candidates living in all other US locations, the expected salary range for this role is currently $170,000 – $215,000. Actual offered salaries will vary and will be based on various factors, such as calibrated job level, qualifications, skills, competencies, and proficiency for the role.

Thumbtack is a virtual-first company, meaning you can live and work from any one of our approved locations across the United States, Canada or the Philippines. Learn more about our virtual-first working model here .