Senior Product Security Engineer - Application Security
Medallia’s mission is to help companies win through customer experience. The world’s best-loved brands trust Medallia’s Experience Cloud™, which embeds the pulse of the customer in an organization and empowers employees with the real-time customer data, insights, and tools they need to make every experience great. Named a leader in the most recent Forrester Wave and ranked in the 2018 Forbes Cloud 100 list, Medallia is growing quickly, with a global footprint that spans Silicon Valley, Austin, New York, Washington DC, London, Paris, Sydney, Buenos Aires, and Tel Aviv. Here, we value people for each of the aspects that make them whole. We believe that people should not be defined only by a job title—nobody is "just an engineer" or "just a salesperson." We are each partners, parents, children, siblings, friends, and former classmates. We have different backgrounds and we celebrate different cultures. And, just like our product, we honor each of the experiences that build our people.
At Medallia we hire the whole person, not just a part of them.
At Medallia, the Product Security team’s mission is to build customer trust in Medallia’s products by setting the standards and principles for secure development and validating our security through continuous assessment.
At Medallia, we feel very strongly about protecting our clients’ information, and are looking for like-minded engineers to solve complex security challenges while enabling the rapid growth of the business globally. This Product Security role is a key role to maturing our security program within the development lifecycle of our product portfolio and offers tremendous growth opportunities at a security conscious company on a high growth trajectory.
As Medallia becomes a trusted partner to organizations across the globe and spanning several industry verticals, it is more important than ever that we continue to stay a step ahead in securing our applications, services and data. The Senior Product Security Engineer role will work closely with our global engineering teams and ensure that we build secure and robust software in the world of SecDevOps and Agile. We are looking for a candidate who is passionate about security, has a strong technical background and loves creating innovative solutions to challenging problems.
Our Engineering Culture
- We don’t expect to be perfect, but we are always proactively seeking out ways to help ourselves and our teams to minimize pain points within our infrastructure and code base.
- We love technology and follow the latest technologies and sharing what we learn.
- We are not afraid of failing when we are experimenting with different technologies, development methodologies, and toolings.
- We build strong relationships with team members around the globe and are not afraid to challenge our team members and peers on enforcing good habits and best practices.
Specifically, You Will:
- Perform application security assessments including architecture review, threat modeling, code review and penetration testing, on both web (Java) and mobile (iOS, Android, and React Native) platforms.
- Assist and enable engineering teams to adopt secure development practices.
- Provide software security advice to cross-functional teams including product, engineering, and services.
- Work closely with engineering and product teams to drive security issues to resolution.
- Develop and mature software security guidance including training materials, best practices, secure development standards, reusable code, etc.
- Automate security testing at scale by building and implementing static and dynamic analysis tools, integrating security into the software development lifecycle.
- Employ knowledge and deep understanding of threat landscape, SaaS industry, and customer feedback to drive the pipeline of impactful security features.
- 3+ years’ experience with software security assessments and remediation in Java (or other object-oriented languages).
- Drive to take ownership of projects and drive resolution without close supervision.
- Proven ability to work collaboratively across and within teams.
- Strong skills in at least two of the following areas: architecture review/threat modeling, penetration testing, and static code analysis automation.
- Hands-on experience with tools and technologies used throughout secure SDLC (e.g., Checkmarx, Fortify SCA, Coverity, AppScan Standard/Enterprise, WebInspect, Netsparker, Burp Suite, etc.).
- Independent problem-solving capabilities and excellent communication skills.
- Must be clearable and be receptive to a background investigation.
- 5+ years’ experience with software security assessments and remediation in Java (or other object-oriented languages).
- CISSP or CSSLP certification.
- Knowledge of OSS scanning tools like Black Duck, SRC:CLR, Codenomicon AppCheck.
- Knowledge of Node.js or any modern JS framework (such as React.js), or with native mobile development.
- Knowledge of popular web development frameworks (AngularJS, React, Redux, Velocity, StringTemplate, jQuery, Jackson, THRIFT, etc.).
- Proficiency with Python, Ruby, or other scripting languages.
- Knowledge of microservices architecture and containers.
- Experience working in a compliance-focused environment.
- Knowledge of FedRAMP (Federal Risk Authorization Management Program).
- Knowledge of FISMA (Federal Information Systems Management Act).
- Software Security, Application Security, (software) Architecture Review, Secure (software) Architecture, Secure (software) Design, Secure Code Review, (application) Pen-Testing, (application) Penetration Testing, Dynamic (security) Analysis, Static Analysis, Checkmarx, Fortify SCA, Coverity, AppScan, AppScan Standard, AppScan Enterprise, WebInspect, Netsparker, Burp Suite
At Medallia, we don’t just accept difference—we celebrate it and recognize the value it brings to our customers and employees. Medallia is proud to be an equal opportunity workplace and is an affirmative action employer. Equal opportunity and consideration are afforded to all qualified applicants and employees. We won't unlawfully discriminate on the basis of gender identity or expression, race, ethnicity, religion, national origin, age, sex, marital status, physical or mental disability, Veteran status, sexual orientation, and any other category protected by law. We also consider all qualified applicants regardless of criminal histories, consistent with legal requirements. Medallia is committed to working with and providing reasonable accommodation to applicants with disabilities in accordance with the American Disabilities Act and local disability laws.