Senior Director of Application Security
Overview
Are you a passionate innovator looking to harness the power of technology to do more good? You've come to the right place. At Bonterra, our purpose is to power those who power social impact. To that end, we serve the people who make social good possible-the doers behind the scenes across nonprofits, public agencies, corporations, philanthropic organizations, and foundations.
As the second-largest and fastest-growing social good software company in the world, Bonterra brings together leading solutions from CyberGrants, EveryAction, Network for Good, Social Solutions, and their respective entities. By bringing our intuitive technology and expertise together, Bonterra will enable unprecedented connectivity between social good organizations and their community of supporters and constituents. This will reshape philanthropic giving, empower digital transformation, and bring the social good sector the technology it needs to accelerate lasting social change.
We are currently operating as a remote workforce and have equipped our teams with the technology to stay connected to each other and our customers.
Responsibilities & Requirements
Do you love to stay up to date on the latest application security attacks, trends, and news? Do you love to try and poke holes in applications? Are you the type that tries to see if you can put a SCRIPT tag in a first name field? Are you detail oriented, passionate, and committed to continual development? If so, read ahead!
What You'll Do:
- Report directly to the CISO while heading up Application Security to champion a comprehensive application security program founded on the same engineering principles as our R&D counterparts including secure development throughout the CI/CD pipeline. This program will span public cloud, data center, and corporate infrastructure security, and it will have clear security priorities defined to articulate and maximize value.
- Utilize excellent communication and interpersonal skills to develop strong and productive partnerships with our key stakeholders, especially R&D, Product, M&A, and IT, enabling the InfoSec teams to regularly leverage these partnerships to address critical and systemic Application risks as well as evangelizing and driving application security inside the company.
- Scale our Application security programs through automation, software, tools, training, and initiatives vs being mostly dependent on scaling horizontally through large headcount asks.
- Review and confirm risk and impact of application vulnerability findings from a variety of sources like SAST, DAST, IAST, SCA, pen test reports, and bug bounty program submissions.
- Perform activities such as: threat modeling, application security reviews, third-party integration reviews, source code level assessments, security testing, open and internal sourced component lifecycle management, and vulnerability triage across various applications.
- Become an expert at leveraging quantitative data and meaningful metrics to guide program decisions, educate stakeholders, measure program operations, and overall application health.
- Run centralized tracking and remediation of Application vulnerabilities including prioritization, scheduling, management, and metrics reporting. Work collaboratively and proactively with R&D, Product, & Operations teams and drive issue resolution.
- Identify recurring classes of security problems, find the root cause, and develop generalized and creative solutions to reduce the occurrence of application vulnerabilities at scale.
Who You Are:
- 3-5 years' experience in application security and/or software development roles with 1-3 years in a position of responsibility (team lead, etc) including experience designing and building software-based solutions at scale using at least one popular programming language C#, Java, Python, Ruby, etc.)
- Excellent and professional communication skills (written and verbal) with an ability to articulate complex topics in a clear and concise manner.
- You demonstrate excellent and pragmatic judgement in prioritizing security efforts to mitigate appropriate risks.
- Strong knowledge of secure design practices such as threat modeling and common software vulnerabilities such as CWE Top 25 and OWASP top 10 and using that knowledge to identify security issues through code review, static/dynamic analysis, and common security tools.
What sets you apart:
- Experience with and knowledge of securing cloud services such as those built on AWS and/or Azure
- M&A (Mergers and Acquisitions) Product Security experience is a plus.
- You have a strong application security background with a focus on scalable approaches to product security.
- Experience with information security frameworks & controls. Knowledge of NIST, ISO, SOC 2, PCI, and/or CIS Controls.
About Us
Our Culture:
Our team is made up of industry experts and advocates who are 100% committed to supporting the doers of social good. We are currently undergoing an effort to create the vision and values that embody our collective organization and embrace the individuals who make up our community.
Some of our comprehensive and competitive benefits include:
- Generous PTO policy
- Equity for ALL regular, full-time employees from individual contributors to management - share in our success!
- Up to 15 paid company holidays including some commemorating social justice events and self-care
- Paid volunteer time
- Resources for savings and investments
- Paid parental leave
- Health, vision, dental, and life insurance with additional access to health and wellness programs.
- Opportunities to learn, develop, network, and connect
- When we can-company-sponsored events and swag!!
Job Tags
#LI-JH1 #LI-Remote