Senior Application Security Engineer
Are you ready for the best destination of your career?
Spotnana is modernizing the infrastructure of the $1.4 trillion travel industry in order to bring freedom, simplicity, and trust to travelers everywhere. With over $115M in funding from top tier investors, including ICONIQ and Madrona Venture Group, we are tackling the hardest problems the travel industry has to offer and we need your help.
Culture is always fluid. It evolves as a business grows, along with the people who drive it forward. We seek people who have different perspectives, but shared values. Before you embark on this journey, quickly check in on whether you are aligned with our company values:
- Obsessed with Customer Needs: We earn the trust and loyalty of our customers by solving their problems.
- Do the Impossible: We solve tough problems through innovation and are inspired by unprecedented challenges.
- Build Globally, Serve Locally: We embrace a global mindset and celebrate diversity as we serve customers around the world.
- Act Like Owners: We constantly find problems to solve. Decisions are not made in isolation. We work hard, work smart, and work together.
- Constantly Change, Learn & Evolve: We flourish by adapting quickly to new challenges and by learning from everyone around us. Building something new is not always glamorous work. Roll up your sleeves, get your hands dirty, and evolve.
- Respect Above All: We are humble and treat others with the same respect we desire for ourselves. Our work culture is a safe environment where everyone is open to feedback and new ideas.
How you’ll make an impact
Spotnana is searching for an Application Security Engineer to join our growing global team. The ideal candidate is a hands-on leader who will help improve the security and privacy posture of Spotnana’s flagship online booking platform, mobile application and underlying backed services running in AWS, and enterprise infrastructure.
This passionate individual will lead secure SDLC and DevSecOps agenda at Spotnana, with a shift-left and automation mind-set, working closely with development, SRE, DevOps and cloud operations team.
What you’ll own
- Own software supply chain and CI/CD security for Spotnana customer serving applications and partner with stakeholders to implement guardrails (ex: managing secrets, secure configurations, etc.)
- Own bug-bounty and external penetration testing engagements
- Be part of the customer integration team, help with security of integrations and any custom implementations.
- Be part of incident response team where application level context and triage is necessary to contain an issue
- Be the subject matter expert on risk and severity of security bugs
- Own API Security Design and Testing Methodology and Toolset
- Own manual and automated testing of our app for OWASP Top 10"
- Be the person looking from outside-in into Spotnana’s digital footprint and conduct and anticipate real world attacks on Spotnana public facing infrastructure and people
- Be the person who performs chaos engineering/attack simulation using inside knowledge and access
- Give input to detection engineering team to create alerts based on real world attack scenarios
- Work with other stakeholders to put backstops where possible to stop external threats from becoming a reality for Spotnana
Experience to bring with you
- 8 years previous web and mobile application security experience
- Experience securing microservices based applications built on AWS
- Expert level knowledge and experience using and implementing major AuthN and AuthZ frameworks such as OAuth, OpenID Connect (OIDC), and SAML (Security Assertion Markup Language)
- Previous experience implementing secure SDLC practices, and automations such as SAST, DAST, RAST, IAST in at least medium scale software development organizations
- Experience configuring and and tuning WAF
- Deep understanding and experience with API security testing and risk mitigations
- Strong experience with React (JS) for front end and Java for the backend services
- Hands on experience with MySQL, RDS data stores, plus ElasticSearch & Spring Boot
- Experience with AWS cognito is a plus
- Comfortable with committing code into production pipelines and following engineering practices and cadences
- Comfortable with conducting code reviews and explaining to development teams specifics on how to fix vulnerabilities
- Ability to write tools and automations to support various aspects of secure SDLC is a plus
- Nice to have experience with applications running in ECS (fargate) or EKS
- Knowledge and experience in building threat models at various levels of granularity, ranging from all up enterprise to specific scenarios targeted to limited scope (infrastructure or applications, specific starting conditions, specific actors, and so on)
- Knowledge and experience conducting technical assessments that lead to mitigation of clear and present risks for an enterprise
- Past experience in pushing the boundaries of how risks are articulated by building proof of concept exploits, showing the impact of attacker techniques and tools to IT, SRE/Cloud Infrastructure & Dev teams
- Past experience in helping design defense-in-depth measures, such as adding relevant alerts, and additional preventative measures that may not be present
- You have a method on how you stay current on new security technologies, vulnerabilities, and methodologies and either routinely publish your research or contribute to bug bounties
Let’s talk compensation
Spotnana strives to offer fair, industry-competitive and equitable compensation. Our approach holistically assesses total compensation, including cash, company equity and comprehensive benefits. Our market-based compensation approach uses data from trusted third party compensation sources to set salary ranges that are thoughtful and consistent with the role, industry, company size, and internal equity of our team. Each employee is paid within the minimum and maximum of their position’s compensation range based on their skills, experience, qualifications, and other job-related specifications.
The annual cash compensation for this role is: $180,000-$200,000
We care for the people who make everything possible - our benefits offerings include:
- Equity in the form of stock options which provides partial ownership in the company so you can share in the success of the company as it grows
- Pre-tax and ROTH 401(k) options via Fidelity with up to a 4% company match
- Comprehensive benefit plans covering medical, dental, vision, life, and disability effective on your hire date. We cover 100% of your employee premiums and 85% of your eligible dependents
- Pre-tax flexible spending account options for health, dependent care and commuter expenses
- 20 vacation days per year in additional to 10 company holidays, 4 company recharge/wellness days and an end of year company shutdown
- Up to 26 weeks of Parental Leave
- Monthly cell phone / internet stipend
- Additional benefits including access to RocketLawyer’s online legal platform, International Airlines Travel Agent Network (IATAN) membership, Pet Insurance through Fetch, Financial Wellness through Origin and SoFi, EAP through Mutual of Omaha, The Calm app through Kaiser, pre-tax parking/transit program and more
We are committed to fostering a diverse, inclusive environment and to encourage these values in everyone on our team. We provide an environment of mutual respect where opportunities are available without regard to race, color, religion, sex, pregnancy (including childbirth, lactation and related medical conditions), national origin, age, physical and mental disability, marital status, sexual orientation, gender identity, gender expression, genetic information (including characteristics and testing), military and veteran status, and any other characteristic protected by applicable law. We believe that diversity and inclusion for people from all walks of life is key to our success as a company.