Application Security Engineer (R4927)

Engineering Remote, United States


Come join Avalara's team of passionate and team oriented security experts. As a member of the application security team, you will help ensure that applications at Avalara are secure from code commit to production. You will engage with the engineering organization to ensure Avalara's customers can feel secure in our handling of their data. This work will include security design consulting, researching and writing technical standards, providing developer focused security training, and building secure reference examples, terraform modules, and other security templates and guardrails. We are also responsible for maintaining Avalara's security testing and tooling pipeline, including threat modeling, SAST, DAST, and SCA. Additionally, you will work to ensure Avalara handles responsible disclosures and issue validation efficiently and accurately.

Job Duties

  • Set strategic direction for application security within Avalara, including processes, tools, metrics, and reporting
  • Perform code and design reviews of internal and customer-facing software products and solutions
  • Provide training, education, awareness, and communication to development and engineering groups
  • Develop and implement manual and automated security tests
  • Design, develop, and implement software development policies, standards, procedures, and technical controls
  • Participate in penetration testing activities, managing relationships with third party assessors
  • Participate in incident handling and response
  • Participate in M&A due diligence and integration processes

Qualifications

  • 1+ years' experience performing manual code review and analysis (or equivalent increase in development experience)
  • 1+ years' experience with application security tools such as HP Fortify, Checkmarx CxSAST, or BlackDuck OSS (or equivalent increase in development experience)
  • 5 years experience in the engineering field with security relevant expertise (Security Champions, DevSecOps, Security Satellite Members, and developers with strong security and remediation expertise are all applicable)
  • Bachelor's Degree or experience in Computer Science, Engineering, or related field (or equivalent experience)
  • Experience working with a variety of development tools, languages, and environments, including .NET, Java, PHP, Node.js, Ember, SQL Server, and Amazon Web Services
  • Working knowledge of source code repositories including Git
  • Experience developing and securing applications Cloud Native Applications (AWS,GCP)

Preferred Qualification

  • Experience with Infrastructure as Code such as Terraform strongly preferred
  • Experience with Kubernetes strongly preferred
  • Experience working in a multi-tenant SaaS environment, service-oriented architecture and web service security
  • Experience with agile software development processes and methodologies
  • Experience working with web vulnerability scanners such as Acunetix WVS or NTO Spider
  • Security certifications including CSSLP, OSCP, AWS Security Specialty, and GIAC GWAPT
  • Knowledge of regulatory and compliance standards including PCI, SSAE18 SOC 1/2, SOX, and GDPR
  • Hands on experience in a continuous integration/continuous deployment environment

The Avalara Product Security team has been remotely managed since inception 3 years ago, and we continue to support a healthy remote environment. We're committed to continued progress in diversity and inclusion. As an employee at Avalara, you'll have the opportunity to join resource groups focused on diversity of thought, engage with your local or global community about topics that matter to you and the organization and receive continued education around inclusion and development. As Avalara grows, so do the voices within it. It's time to hear your voice.

Avalara is an Equal Opportunity Employer. All qualified candidates will receive consideration for employment without regard to race, color, creed, religion, age, gender, national orientation, disability, sexual orientation, US Veteran status, or any other factor protected by law.