Request a Demo

Job Role
Request a Demo

YES, I agree to receive, via email, information about Medallia solutions and success stories that show how industry-leading companies improve the customer experience and increase revenue. Read our Privacy Policy in the footer below.

Read our Privacy Policy

Thank You

Your message has been received and we will contact you shortly.

Back to all open positions

Senior Product Security Engineer - Application Security (Federal - US Remote)

  • Location: Washington, DC
  • Team: Security Engineering
  • Role Type: Full-Time Employee (Individual)
Medallia’s mission is to help companies win through customer experience. The world’s best-loved brands trust Medallia’s Experience Cloud™, which embeds the pulse of the customer in an organization and empowers employees with the real-time customer data, insights, and tools they need to make every experience great. Named a leader in the most recent Forrester Wave and ranked in the 2018 Forbes Cloud 100 list, Medallia is growing quickly, with a global footprint that spans Silicon Valley, Austin, New York, Washington DC, London, Paris, Sydney, Buenos Aires, Tel Aviv, and Prague. Here, we value people for each of the aspects that make them whole. We believe that people should not be defined only by a job title—nobody is "just an engineer" or "just a salesperson." We are each partners, parents, children, siblings, friends, and former classmates. We have different backgrounds and we celebrate different cultures. And, just like our product, we honor each of the experiences that build our people.

At Medallia we hire the whole person, not just a part of them.

Medallia’s security team is responsible for the security of the overall Medallia platform and entire global infrastructure. We are looking for exceptional technical engineers, who understand multi-tenant SaaS environments, and will work closely with our global engineering teams and ensure that we build secure and robust software in the world of SecDevOps. We are looking for a candidate who is passionate about security, has a strong technical background and loves creating innovative solutions to challenging problems.

Medallia is a technology powerhouse and our security challenges cannot be solved by traditional security technologies. This role requires creative thinking and innovative approaches to help stay a step ahead in securing our applications, services and data. This role will be responsible for developing and operating tools, technologies and processes to mature our security program within the development lifecycle of our product portfolio. Focussing on Medallia’s Federal environment, the role will be driving application security initiatives across the technical stack.

Our Engineering Culture

  • We don’t expect to be perfect, but we are always proactively seeking out ways to help ourselves and our teams to minimize pain points within our infrastructure and code base.
  • We love technology and follow the latest technologies and sharing what we learn.
  • We are not afraid of failing when we are experimenting with different technologies, development methodologies, and toolings.
  • We build strong relationships with team members around the globe and are not afraid to challenge our team members and peers on enforcing good habits and best practices.

Specifically, You Will:

  • Perform application security assessments including architecture review, threat modeling, code review and penetration testing, on both web (Java) and mobile (iOS, Android, and React Native) platforms.
  • Assist and enable engineering teams to adopt secure development practices.
  • Provide software security advice to cross-functional teams including product, engineering, and services.
  • Work closely with engineering and product teams to drive security issues to resolution.
  • Develop and mature software security guidance including training materials, best practices, secure development standards, reusable code, etc.
  • Automate security testing at scale by building and implementing static and dynamic analysis tools, integrating security into the software development lifecycle.
  • Employ knowledge and deep understanding of threat landscape, SaaS industry, and customer feedback to drive the pipeline of impactful security features.

Minimum Qualifications

  • 3 - 5 (5+ prefered) years’ experience with software security assessments and remediation in Java (or other object-oriented languages).
  • Drive to take ownership of projects and drive resolution without close supervision.
  • Proven ability to work collaboratively across and within teams.
  • Strong skills in at least two of the following areas: architecture review/threat modeling, penetration testing, and static code analysis automation.
  • Hands-on experience with tools and technologies used throughout secure SDLC (e.g., Checkmarx, Fortify SCA, Coverity, AppScan Standard/Enterprise, WebInspect, Netsparker, Burp Suite, Nessus, etc.).
  • Independent problem-solving capabilities and excellent communication skills.
  • Must be clearable and be receptive to a background investigation.

Preferred Qualifications

  • CISSP or CSSLP certification.
  • Knowledge of OSS scanning tools like Black Duck, SRC:CLR, Defensics, Snyk.
  • Knowledge of Node.js or any modern JS framework (such as React.js), or with native mobile development.
  • Knowledge of popular web development frameworks (AngularJS, React, Redux, Velocity, StringTemplate, jQuery, Jackson, THRIFT, etc.).
  • Proficiency with Python, Ruby, or other scripting languages.
  • Knowledge of microservices architecture and containers.
  • Experience working in a compliance-focused environment.
  • Knowledge of FedRAMP (Federal Risk Authorization Management Program).
  • Knowledge of FISMA (Federal Information Systems Management Act).


  • Software Security, Application Security, (software) Architecture Review, Secure (software) Architecture, Secure (software) Design, Secure Code Review, (application) Pen-Testing, (application) Penetration Testing, Dynamic (security) Analysis, Static Analysis, Checkmarx, Fortify SCA, Coverity, AppScan, AppScan Standard, AppScan Enterprise, WebInspect, Netsparker, Burp Suite
At Medallia, we don’t just accept difference—we celebrate it and recognize the value it brings to our customers and employees. Medallia is proud to be an equal opportunity workplace and is an affirmative action employer. Equal opportunity and consideration are afforded to all qualified applicants and employees. We won't unlawfully discriminate on the basis of gender identity or expression, race, ethnicity, religion, national origin, age, sex, marital status, physical or mental disability, Veteran status, sexual orientation, and any other category protected by law. We also consider all qualified applicants regardless of criminal histories, consistent with legal requirements. Medallia is committed to working with and providing reasonable accommodation to applicants with disabilities in accordance with the American Disabilities Act and local disability laws. For information regarding how Medallia collects and uses personal information, please review our Privacy Policies.