Senior Application Security Engineer

At Thumbtack, application security engineers support the building of products and systems that directly impact our customers and professionals to ensure that we are deploying as secure a product as possible. We believe in tackling these hard problems together as a team, with strong values around collaboration, ownership, and transparency. To read more about the hard problems that our engineering team is taking on, visit our engineering blog.

Thumbtack is looking for a Senior Application Security Engineer with a broad range of engineering skills, and specialized knowledge in application security, to lead security initiatives, build safe software, conduct security reviews, and potentially respond to security incidents. The ideal candidate has experience in core and security cloud services, solid Linux fundamentals, scripting, software development with modern object-oriented programming, web development, and is proficient at identifying and mitigating common web application security vulnerabilities. 

The security landscape changes rapidly with new vulnerabilities and threats emerging all the time. Staying ahead of these, understanding their implications, and applying the appropriate countermeasures is a constant challenge. Embedding security within the development process, while maintaining the speed and efficiency of DevOps, involves ongoing collaboration and communication with development teams.

• Design, implement and maintain security-oriented software that makes it easier for non-security engineers to build secure products
• Collaborate with many teams and functions across Thumbtack to make technical, design, strategy, and product decisions relating to security
• Act as an internal security subject matter expert, advocating for better security practices throughout the company
• Perform security design reviews and threat modeling on-demand and as needed
• Participate in security incident response
• Grow your career in an engaged and innovative engineering community that ships transformative products and services
• Help evaluate the adoption of open source software and 3rd party integration from a security standpoint

If you don't think you meet all of the criteria below but still are interested in the job, please apply. Nobody checks every box, and we're looking for someone excited to join the team.

• 5+ years experience leading complex, technical, XFN projects (Data Platform or Infrastructure a plus)
• Experience and understanding of application and infrastructure security standards and best practices
• Experience in security hardening in a public cloud environment (AWS, GCP)
• Experience and proven ability in delivering secure products and services in a cloud environment
• Ability to think strategically at the program level, dive in and be hands-on in day-to-day action
• Experience in secure design and authoring security tools and libraries

• Experience with conducting a penetration test, deploying static and dynamic code analyzers, orchestrating threat modeling and rapid risk assessments
• Hold an Offensive Security Certified Professional (OSCP) certification
• Familiarity with security frameworks such as OWASP (including Mobile) NIST CSF, NIST SP 800-x, COBIT, ISO-27001, PCI DSS
• Working experience with NIST Common Vulnerability Scoring System (CVSS) and Threat Modeling Framework such as STRIDE or PASTA

For candidates living in San Francisco / Bay Area, New York City, or Seattle metros, the expected salary range for the role is currently $180,000 - $250,000. Actual offered salaries will vary and will be based on various factors, such as calibrated job level, qualifications, skills, competencies, and proficiency for the role.