Product Security Engineer

Who we are:

VBG (Veteran Benefits Guide) was founded by a former active-duty United States Marine with the goal of ensuring that Veterans receive the correct disability benefits in a timely manner. VBG has successfully guided over 35,000 Veterans by submitting their VA (Veteran Affairs) disability claims, resulting in increased compensation benefits for their disabilities that are related to active-duty service. As a company founded by a Veteran and staffed by many Veterans and families of Veterans, Veteran Benefits Guide is committed to advocating for policies that protect the rights and interests of former servicemembers.

Summary:

The Product Security Engineer will play a critical role in ensuring the security of our software applications, protecting sensitive data, and identifying and mitigating security vulnerabilities. This role requires a deep understanding of software security principles and a commitment to proactively safeguarding our systems.

Basic Function/Responsibilities:

• Conduct comprehensive code reviews to identify and rectify security vulnerabilities and coding flaws.
• Collaborate with the development team to implement secure coding practices.
• Analyze software designs and architectures to identify potential security threats and weaknesses.
• Develop threat models to guide security measures and risk assessment.
• Plan and execute security testing, including penetration testing, vulnerability assessments, and security assessments.
• Work with cross-functional teams to resolve identified security issues.
• Promote security best practices throughout the software development lifecycle.
• Integrate baseline security configurations and controls into the development workflow.
• Educate development teams on secure coding practices and security awareness.
• Utilize and maintain relevant security tools and technologies, including but not limited to AppScan, Fortify, and Burp Suite, to identify vulnerabilities, assess risks, and implement appropriate security measures.
• Configure and manage firewall settings to protect the network infrastructure.
• Apply cloud security best practices for platforms like AWS, Azure, and GCP to secure cloud-based resources and services.
• Conduct training sessions and workshops on security-related topics.
• Develop and maintain an incident response plan for software security incidents.
• Lead investigations and collaborate with incident response teams to address security breaches.
• Ensure software applications comply with industry regulations and standards (e.g., HIPAA, OWASP, NIST, GDPR).
• Assist in the development and enforcement of security policies and procedures.
• Stay updated on emerging threats and trends in software security.
• Continuously research and recommend new security tools and methodologies.

Required Experience:

• Proven experience in software Security Engineering or secure software development.
• Excellent programming skills in JavaScript, PHP, Python, and others.
• Proficiency in MongoDB, Express.js, React, and Node.js is strongly preferred.
• Relevant certifications, such as Certified Secure Software Lifecycle Professional (CSSLP) or Certified Cloud Security Professional (CCSP), and AWS Cloud or Security Specialty are a plus.
• Strong knowledge of common application security vulnerabilities and mitigation techniques.
• Proficiency in security tools and practices, such as static and dynamic code analysis, fuzz testing, and threat modeling.
• Strong problem-solving and communication skills.
• Ability to collaborate effectively with cross-functional teams and communicate complex security concepts to non-technical stakeholders.

Education:

Bachelor’s degree preferred (Engineering, Computer Science, Information Systems, etc.) or equivalent experience

Position Type: This is a full-time position. Working hours are Monday through Friday, from 8:00 a.m. to 5:00 p.m., with in-office attendance required three times per week with the rest of the time being remote. More days in the office may be required as needed. Occasional after-hours coverage may be necessary.

Travel: Offsite training or meeting travel is estimated to be less than 5%.