Senior Product Security Engineer (Remote)

Enova is currently accepting candidates for remote positions in the following eligible states: AL, AK, AR, AZ, CT, GA, IA, ID, IL, IN, KY, LA, MA, ME, MD, MI, MN, MO, MS, NC, ND, NE, NH, NV, NJ, NM, OH, OK, OR, PA, RI, SC, SD, TN, UT, VT, WI, WV, WY.

About the role: 

In this role, you will be responsible for building, developing and designing strategies of embedding security testing and enforcement within the SDLC across Enova Products. This is a hands-on role requiring in-depth knowledge of software security principles. You will be responsible for prioritization and implementation of various DevSecOps projects and Tech initiatives across all of Enova’s Digital Products. In addition, you will be responsible for conducting application static code reviews, dynamic security assessments, build Container security standards, AWS security posture assessments. You will be expected to have a “can-do” attitude and work independently to drive solutions. Enova’s Security Engineering team designs, implements, and administers the tools and mechanisms involved with providing end to end IT security for Enova.

What you’ll be doing: 

• Serving as a security subject matter expert in a consultative capacity with the development teams through the software engineering process – including security reviews/remediation at various stages of the SDLC.
• Building partnerships with other engineering teams, be a source of expertise in security best practices.
• Performing threat modeling, architecture reviews, and application testing ensuring critical vulnerabilities are identified, communicated to team members, and driving delivery of mitigations.
• Developing and delivering security training to software engineers.
• Researching emerging technologies and maintaining awareness of current security risks in support of security enhancement and development efforts.
• Coordinating around, participating in and managing information security projects.
• Implementing tools to test and enforce application security policy as part of DevSecOps pipeline
• Using appropriate interpersonal styles and subject matter knowledge to partner, gain trust and influence across the organization.
• Delivering best in class customer service to internal customers
• Playing a senior role in design, development, quality and operations of services owned by the team partnering across product management, architects and operations.
• Mentor software engineers, security engineers and evangelize security initiatives.

We’re excited about you if you have:

• Experience in AWS(Amazon Web Services), Containers(Dockers/Kubernetes), Microservice architectures, past DevOps/Software engineering experience.
• Experience with security testing tools such as Kali, Snyk, Checkmarx, GoSec, Burp Suite, OWASP ZAP, etc.
• Proficiency with application pen testing and vulnerability assessments

An ideal candidate may also have:

• Programming experience in Go, Python, Java, JavaScript, Ruby etc.
• Familiarity on Frameworks such as Ruby on Rails, Java Spring Boot etc..
• Strong communication skills and desire to collaborate across teams
• Demonstrated ability to ship production-quality software in a dynamic environment
• Experience working with firmware and hardware security
• Familiarity with data privacy regulations and compliance
• OSCP, OSWE, SANs, AWS Security Speciality Certification, Certified Kubernetes Security Specialist (CKS).
• Experience with threat modeling and attack surface design 

About our team:

Our IT Security Engineering Team works alongside our teams in Systems, Monitoring, Application Engineering, and Network Engineering to deliver top notch and secure infrastructure and automation solutions. We are experts in the IT security field, but are also well-versed in applications, development life cycles, and automation techniques. We have passionate debates about technology with consensus in solutions, flexible team structures, an irrelevance of title in problem solving, and a desire to Do The Right Thing.

Enova currently uses a multitude of Application Security tools such as Checkmarx, Snyk, Burp Suite Pro, Anchore Container Security, AWS (GuardDuty, SecurityHub), GoSec. Our server and application platform primarily runs on Vmware and several workloads exist in Amazon, with plans to expand services into the cloud.

#LI-RC1