Principal Application Security Engineer

Description

At Shutterfly, we make life’s experiences unforgettable. We believe there is extraordinary power in the self-expression. That’s why our family of brands helps customers create products and capture moments that reflect who they uniquely are.

We are seeking a highly experienced and visionary Principal Application Security Engineer to lead and evolve our application security strategy. In this role, you will be responsible for embedding security into every phase of the software development lifecycle, mentoring engineers, and driving initiatives that protect our applications and data at scale. This is a hands-on leadership role that combines deep technical expertise with strategic thinking and cross-functional collaboration.

Are you ready to challenge the status quo and deliver ad-hoc solutions that mitigate risk in clever ways? Do you have an open-source tool set that you can bring to the table? Are you eager to design secure applications in a pragmatic way? Is your tool set constantly evolving, and you love sharing it with anyone who’s interested?  Are you always hunting for new vulnerabilities, not just at conferences, but on all the forums? Have you been a successful bug bounty hunter or filed a CVE? Do you build and code tools to help you in every aspect of your job? Do you “get” developers (because you are one) and are empathetic to their processes? If so, this role is for you.

Responsibilities: 

• Enhance our security posture to protect our infrastructure, systems, and data from cyber threats.
• Keep up to date with the security landscape by maintaining knowledge of current, relevant security threats, mitigations and best practices.
• Secure SDLC: Define and implement secure development practices, including code reviews, static/dynamic analysis, and CI/CD pipeline integration (SAST, SCA, DAST, IAST, IaaC, RASP, WAF, APSM, CNAPP, CSPM). 
• Vulnerability Management: Identify, triage, and remediate application vulnerabilities through automated tools and manual testing.
• Lead the Shift Left initiatives, its toolset and people processes - to secure our code before it is even written.
  
  • Provide guidance and recommendations to software engineering teams to implement effective security measures to mitigate risks
  • Be the Subject Matter Expert and top technical resource for App Sec to engineers around the organization. Help engineers reproduce vulns, understand their impact, document issues, mitigate or retest the effectiveness of a fix, etc.
  • Create code training exercises for engineers, developers, DevOps and Platforms teams.
  • Train and liaise with Security Champions on development teams
  • Review and approval of critical PRs and code changes
  • Perform and lead code reviews
• Partner with engineering teams to develop secure code libraries
• Perform and manage Penetration Testing, lead internal pen tests / red teams and help manage/coordinate 3rd party testing.
• The Subject Matter Expert (SME) and top technical contact for application security. Develop non-standard mitigations that outside of the industry stand methodologies that reduce risk in clever ways.
• Security Architecture & Design: Partner with engineering teams to design secure systems and applications, ensuring security is built-in from the ground up. Initiate and lead design, architecture and solution reviews.
• Threat Modeling & Risk Assessment: Lead threat modeling exercises and perform risk assessments for new and existing applications.
• Security Tooling: Evaluate, implement, maintain and decommission security tools and platforms to support application security efforts.  Be the top operator of all tools and platforms within the App Sec program.  Leverage open-source tooling to continuously widen the toolset.
• Incident Response: Collaborate with incident response teams to investigate and remediate application-related security incidents.
• Mentorship & Leadership: Mentor junior security engineers and developers on secure coding practices and security principles.  Build relationships with stakeholders and business leaders across the organization.
• Cross-Functional Collaboration: Work closely with product, engineering, DevOps, and compliance teams to align security with business goals.
• Security Advocacy: Champion a culture of security awareness and continuous improvement across the organization.

Required Qualifications: 

• Bachelor’s degree in computer science, Cyber Security, or related field.
• 7+ years of experience in application security.
• Excellent communication and collaboration skills, able to work across IT, engineering, and business teams.
• OSCP and OSWE certifications (or similar) demonstrating proficiency in network and web assessments, secure coding, and professional report creation.
• SANS Certs: GIAC Web Application Penetration Tester (GWAPT); GIAC Web Application Defender (GWEB); SEC-542; SEC-642; SEC-644 
• Mastery of app sec tooling, platforms, administration and operation.
• Proficient coder in at least 3 languages and can code review in just about any language.  Must be very proficient in Java, Spring, NextJS (React), Maven, Gradle, Docker, macOS.
• Strong command-line and scripting skills (bash, PowerShell) both on Linux and Windows.
• Managed a bug bounty program including policy, scope, triage, risk scoring (CVSS), bounty payments, hacker management, mitigation and re-testing.
• Frequently participate in cyber security training platforms (Hack The Box, Try Hack Me)
• Advanced user of Burp Suite Pro, have experience creating custom extensions in Java or Python, or at least using and modifying. 
• Experience deploying and managing a RASP solution (e.g. DynaTrace, Prevoty, Contrast) and WAF (e.g. Akamai, AWS, Imperva, etc.) over multiple tech stacks.
• Strong analytical and problem-solving abilities with a risk-based security approach.
• Self-directed learner capable of quickly learning new technologies

Preferred Qualifications: 

• 10+ years of full stack development experience
• OSCP Offensive Security Certified Professional; OffSec Web Assessor (OSWA) certification.  
• OSCE3 certification is highly desirable
• AWS Certified Security certification
• Submitted security reports for VDPs or bug bounty programs. You've found a CVE along the way.
• Experience satisfying PCI 4 requirements
• Hack The Box Certified Bug Bounty Hunter (CBBH) or Certified Web Exploitation Expert (CWEE)
• Setting up home lab storage/virtualization infrastructure
• Attending security conferences or participating in CTFs

Supporting a diverse and inclusive workforce is important to Shutterfly not only because it directly reflects our value of Embracing our Differences, but also because it’s the right thing to do for our business and for our people. We welcome all applicants and evaluate them based on their qualifications, without regard to age, race, creed, color, national origin, ancestry, marital status, affectional or sexual orientation, gender identity or expression, disability, nationality, sex, or other characteristic covered by law. Learn more about our commitment to Diversity, Equity, and Inclusion on our Career Site.

This position will accept applications on an ongoing basis until filled.

The compensation package for this role is based on multiple factors, such as job level, responsibilities, location, and candidate experience. The base pay ranges included below are specific to the locations listed, and may not be applicable to other locations.

California : [$144,250-204,500]

Connecticut and New York: [$144,250-187,000]

Colorado, Illinois, Minnesota and Washington: [$144,250-173,250]

Nevada: [$135,500-187,000]

Maryland and New Jersey: [$155,750-187,000]

Hawaii : [$127,000-152,500]

This position may be eligible for a bonus incentive, health benefits, a 401K program, and other employee perks. More details about our company benefits can be found at https://shutterflyinc.com/benefits/.

This opportunity can be remote, but candidates must reside in a state in which Shutterfly is registered to do business. This includes all US states except District of Columbia, North Dakota, Mississippi, Rhode Island, Vermont, and Wyoming.

This position will accept applications on an ongoing basis until filled.

#SFLYTechnology