Staff Product Security Engineer

About the position

CLEAR's mission is to create frictionless experiences where every day feels magical. We are looking for a Product Security Engineer to join our growing team. As a Product Security Engineer, you will have the opportunity to take your penetration and overall application security testing to the next level. Our team performs everything from biometric and Web security testing to remediation, as well as creating automated security products, enabling stakeholders across CLEAR to deliver secure software.

Responsibilities

• Partner with the company's Product, Software Engineering, DevOps, and IT teams
• Perform security risk assessments, manual penetration security testing, automate security testing, threat modeling, and develop/conduct education on secure coding
• Deliver security products and consult with DevOps, as part of a high-profile security team, supporting automated security testing as part of CLEAR's next-generation CI/CD pipelines
• Lead internal and external penetration tests across CLEAR's most critical assets, as well as triage issues with internal stakeholders for remediation
• Develop functional and non-functional security requirements
• Conduct security assessments, code reviews, and penetration tests to identify vulnerabilities in applications and software
• Implement and manage security tools, including SAST, DAST, SCA, and other security automation frameworks

Requirements

• Minimum of 5 years of experience in software development and implementing security into SDLC processes
• Minimum 2 years relevant architecture experience with expert level knowledge of application systems design and integration
• Comprehensive knowledge, experience, & understanding of testing for the OWASP Top 10 or CWE Top 25, including PoCs, automating attacks, and secure code remediation
• Excellent interpersonal communication skills. Can explain very technical topics to all audiences and break down vulnerabilities to both developers and leadership
• Strong understanding of Software Security Architecture and Design, SDLC, CI/CD, and the ability to clearly articulate best practices for application security
• Experience with evaluating, deploying, and managing application security tools (e.g. DAST, SAST, IAST, RASP, WAF) and building strong vendor relationships
• Familiarity with one or more industry standards and regulations such as PCI, NIST 800-53, FedRAMP and ISO27001
• Strong programming and scripting experience in Python, BASH, Go, Java, JavaScript or similar
• Experience using security testing tools such as Burp Suite, Metasploit, OWASP ZAP, nmap, Frida, etc.
• Experience with mobile platform-specific security, privacy, and permission concepts for iOS & Android mobile platforms as well as mobile technologies such as WebViews, TouchID/FaceID API, etc.

Benefits

• Comprehensive healthcare plans
• Family-building benefits (fertility and adoption/surrogacy support)
• Flexible time off
• Annual wellness stipend
• Free OneMedical memberships for you and your dependents
• A CLEAR Plus membership
• 401(k) retirement plan with employer match
• Catered lunches every day
• Fully stocked kitchens
• Learning & development stipends and reimbursement programs