We are seeking a highly motivated and talented Application Security Architect to be part of a diverse, smart and driven Information Security Team at BlackLine focused on securing applications and proactively managing risk
This is a great opportunity to establish application security baseline for the entire portfolio of BlackLine SaaS and to be a catalyst for continuous delivery of secure products that our customers love to use.
Duties and Responsibilities:
• Be a member of Architecture Review Board and perform Architecture Risk Analysis/Threat Modelling to identify the attack surface, threat agents and software security risk on web application, services, API endpoints
• Build consistent artifacts for threat modelling that can be used as a reference for secure software development practices
• Provide guidance on remediating the identified risk and design security controls to meet the highest security standards
• Create security libraries that can be leveraged by Engineering teams to address vulnerabilities at scale
• Establish application security standards/baselines as a guiding principle to build secure-by-default applications
• Partner with product security team to build product security roadmap
• Design and advocate the integration of security reviews aligning with DevSecOps principle to proactively identify vulnerabilities in SDLC
• Identify the software security metrics that are vital and automate the process of metric collection
• Perform gap analysis on current state of security tooling and enable the vision to drive towards the target state
• Keeping abreast of latest software security risks and sharing this knowledge in the context of architecture and product design reviews
• Mentor Application Security Engineers and Security Champions about security best practices
• Effectively communicate risks at audience-appropriate level, up to and including BL general staff (EMT)
Qualifications:
1. BS degree in Computer Science, Engineering, or related discipline; MS preferred.
2. 10+ years of experience in security architecture and design focused on application/product security
3. Familiarity with OWASP TOP 10 Vulnerabilities, SANS TOP 25, WASC risk framework
4. Expert knowledge on OWASP ASVS, SAMM, Prevention techniques for various classes of security vulnerabilities
5. Solid understanding of Cryptographic Algorithms, PKI, Authentication protocols, Transport Layer Security, Open ID Connect, OAuth 2.0, SAML
6. Automation and development experience in programming languages such as C#, ASP .NET, Java, Ruby, Python etc
7. Contributions to Security community like development of open source tools, conference talks, blogs etc
8. Clear understanding of core architectural concepts: baseline-target-gap-roadmap, trust domains etc
9. Experience with Application security tools such as SAST, DAST, IAST, RASP, SCA, WAF and integration with Software Development Life Cycle
10. Experience with the public cloud (AWS, Azure, or GCP) and knowledge of Cloud-native dev practices and reference architectures that deliver load balancing, failover/failbacks, region|AZ availability
11. Excellent verbal, written, presentation, listening, and negotiation skills, with ability to present complex information in a clear and concise manner.
12. Strategic thinker with ability to roll up sleeves to get things done.
13. Successful track record of building strong relationships and working across the organization to influence and drive change.
14. Certifications or equivalent level of knowledge desired: Offensive Security Certified Professional (OSCP), GIAC Web Application Penetration Tester (GWAPT), CISSP