Zylo, the leading SaaS Management platform, helps more than 100 organizations control growing SaaS costs and reduce risk with complete visibility of all SaaS applications, including Shadow IT, the growing majority of apps that are not managed by IT.
Zylo’s mission is to provide employees with easy access to the SaaS applications that make them effective, while controlling the cost and risk of SaaS. Zylo identifies and reduces redundant applications, duplicate expenditures, and underutilization of SaaS applications to optimize spend, reduce operational burden, and manage renewals proactively. With the industry’s leading SaaS application catalog, Zylo is paving the way for compliant and optimized self-service SaaS.
As our lead security engineer, you will take ownership of ensuring that Zylo is operating with the highest degree of stewardship for the security of our customers and their data. This is a hands-on, technical role and the first of its kind at Zylo. This role will take ownership of implementing security best practices for cloud systems and drive forward a culture of security conscious thinking.
Work closely with our product and engineering team to scope and execute platform and application security initiatives. Lead reviews throughout the development cycle, including architecture reviews and threat models, secure code reviews, and platform and application penetration testing. Creative security solutions are expected in order to enable our engineers to excel at what they do best.
The role is geared for a Security Engineer that has experience with platform and application security testing, software engineering, and working in an agile engineering environment. We are a ‘remote first’ team with members in multiple time zones.
What you will do:
- Audit current cloud configurations for security vulnerabilities
- Implement tools for continuous monitoring of the security and health of cloud systems within Amazon Web Services (AWS)
- Collaborate with other Engineers and Engineering leadership to drive a culture of security-conscious thinking
- Assist in building and scaling cloud systems to deliver on product requirements
- Scope and perform application security reviews of our full stack: web applications, APIs, and architecture.
- Provide our engineers with well-researched security advice to demonstrate vulnerabilities and provide secure development guidance.
- Assist in the triage of vulnerabilities that are found internally, privately or publicly disclosed, or reported through our bug bounty program.
- Produce research and collaborate with our peers in the broader information security and public cloud communities and industries.
- Write and promote secure development practices and further education for our engineers.
- Deliver reporting evidence for Soc 2 compliance in collaboration with Zylo Security Officer (CTO)
What you will need:
- Experience with Amazon cloud computing technologies, such as AWS Lambda, EC2, S3, PostgreSQL, and Amazon RDS
- Experience with various open and closed security testing of applications.
- Experience with public cloud infrastructure security protections and weaknesses
- Able to work collaboratively across diverse engineering teams and products to meet organizational security goals.
- Experience with performing threat modelling and manual secure code review.
- Strong grasp of practical cryptography usage, able to recommend the best approach for storage, transport and identity purposes, specifically in the realm of public cloud.
- Offensive mindset and the ability to think of and consider abuse and attack paths as well as the defensive mindset to think of recommendations to prevent them.
- Comfortable working with continuous integration/delivery and agile development teams.
- Attention to detail and good judgement
- Pragmatic thinker; ability to understand and make tradeoffs in a fast-paced environment
- Strong communication skills for both a technical and non-technical audience
- Creativity to identify gaps in current processes
- Strong time management skills
- Strong working knowledge of software engineering and architecture, web applications, linux internals, HTTP, TLS.
- Scripting skills (our primary languages are Node.js and Python but we’ll happily speak to candidates with other language backgrounds.)
- Linux, and especially technologies like Docker, seccomp, grsecurity, etc.
- A functional understanding of Amazon Web Services – VPC, IAM, KMS, EC2, S3, EBS, ELB, etc., or similar primitives are not required
- Security features in container and container orchestration technologies (Docker or Kubernetes).
- Experience with building security automation is a big plus.
Zylo is an equal opportunity employer, and we value diversity at our company. We don’t discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.