It's fun to work in a company where people truly BELIEVE in what they're doing!

We're committed to bringing passion and customer focus to the business.

About iHerb

iHerb is one of the leading global e-commerce retailers providing Nutritional and Wellness products. Our growth is exponential, we are seeking “Top Talent” to drive our success!  Our values can be best defined as an environment in constant pursuit to conscientiously meet the needs of our customers, business partners, and team members while doing our part to safeguard the environment.

Job Summary:
We are a highly distributed e-commerce company with several different in-house developed systems that deal with the huge volume of data flowing throughout the system. We are looking for an Application Security Engineer to be a key liaison between the software development teams and the security team. Making sure the developers stay on top of their game for creating secure code, reviewing and testing code and builds from a security perspective, and following up on findings
 About You:

• You Can monitor and maintain Application Security training and related awareness campaigns: Champion the Security & Privacy Awareness Program for Application Development
• You are able to participate, review and advise on the security of new web applications, API’s and Mobile Applications.
• You can manage remediation of any findings from internal or external assessments
• You are able to support our compliance programs (such as PCI) by helping implementing and documenting controls, examining evidence for compliance to standards. 
• You are able to run DAST/SAST Scans (Acunetix, Burp Suite, Nessus, Etc.)
• You can conduct Threat Modeling / Risk Assessments in accordance with policies and Standards, document, and work with business units to remediate findings.
• You have the ability to run scans and penetration tests.
• You have ran Vulnerability Scans (Kubenertes/Docker, Database, PCI/ASV)
• You have 3-5 years of experience with Application and Network Security
• You have a Bachelor’s Degree in Information Technology, Information Security, Computer Science, or related field.
• Advanced industry certification strongly desired, e.g. SANS GIAC (CEH - Certified Ethical Hacker or GXPN - Exploit Researcher and Advanced Penetration Tester, are preferred), Offensive Security Certified Professional (OSCP), CompTIA Security+, CISSP,...

 
Key Qualifications:

• Knowledge of application development languages (e.g. .NET, .Net Core, JavaScript, etc.)  and common scripting languages (e.g. PowerShell, C#, Python, T-SQL etc.) and/or the ability to learn as required
• Familiar with SQL Server Administration and Queries
• Possess an understanding of PCI Compliance and EU GDPR Requirements
• Provide support for strategic business process/reengineering consulting as appropriate and work on multiple technically complex high profile projects. 
• Demonstrate an understanding of key IT operational policies, processes and methodologies applicable to governance, risk management and compliance. 
• General understanding of security fundamentals and general security technologies, including operating systems, network security (firewalls, VPNs, etc.), security event management, business continuity, physical security, identity management, directory services, etc. 
• Deep knowledge of OWASP Top 10 (2013 and/or 2017 Version) vulnerability detection and mitigation
• Familiar with security of LANs, WANs, Firewalls, VPN, MPLS and related Network Applications
• Knowledge of Active Directory, DDNS, Group Policy, Microsoft Windows Server and Desktop operating systems
• Knowledge of Linux based Operating Systems, Logging and Troubleshooting

What we offer:

• An opportunity to get involved and build the tech foundation in a highly elastic distributed system deployed across 17 different datacenters in 3 different clouds.
• Competitive compensation
• Growth potential. We rapidly advance team members who have an outsized impact.
• Flexible vacation policy.
• Equity award program