Product Security Engineer
Whatfix Inc., New Bremen, OH, United States
Position Summary
The Product Security Engineer at Whatfix is responsible for securing applications, cloud services, and infrastructure by embedding security across the Secure Software Development Lifecycle (SSDLC). This role focuses on conducting security assessments, identifying vulnerabilities, and driving remediation in collaboration with engineering teams.
The engineer will perform VAPT, threat modeling, and security architecture reviews while integrating security automation and best practices into development workflows. The role also involves working with product, engineering, GRC teams to ensure compliance with industry standards.
Job Description
Implement and enforce Secure Software Development Lifecycle (SSDLC) practices across all technology projects to proactively identify and mitigate security risks.
Conduct VAPT for applications, APIs, and desktop applications, aligned with OWASP Top 10 (Web & API Security).
Perform AI/LLM security testing based on OWASP Top 10 for LLMs.
Lead threat modeling (STRIDE) and security architecture reviews, ensuring adherence to CIA and AAA principles.
Perform secure code reviews and manual/automated security testing to identify vulnerabilities and drive timely remediation in collaboration with engineering teams.
Develop and maintain CI/CD security pipelines (e.g., Jenkins-based jobs) to integrate security into development workflows.
Support internal and external audits (ISO 27001, ISO 42001, SOC 2, FedRAMP).
Collaborate closely with product and engineering teams to drive the product security program objectives.
Communicate security risks effectively to diverse stakeholders and recommend mitigation strategies.
Participate in customer and vendor meetings to address security-related clarifications and issues as required.
Familiarity with Azure infrastructure, including compute, networking, storage, and basic security services.
Required Skills
Strong knowledge of OWASP Top 10 (Web, API, and LLM Applications) and CWE Top 25.
Experience in application, API, and microservices security.
Hands‑on experience with SAST, DAST, SCA, and secret scanning tools.
Familiarity with REST APIs and authentication frameworks (OAuth 2.0, OpenID Connect).
Experience with DevSecOps practices, CI/CD pipelines (e.g., Jenkins), and Git-based workflows.
Proficiency in programming languages such as Java or .NET, and scripting (e.g., Python).
Ability to effectively communicate security risks and drive remediation.
Strong ability to triage, prioritize, and validate findings from SAST, DAST, SCA, and secret scanning tools.
Good to have
Knowledge of containerization and orchestration (Docker, Kubernetes).
Expertise in threat modeling and secure architecture reviews.
Strong understanding of Agile and secure development practices.
Familiarity with security tools such as Checkmarx, Burp Suite, Nuclei and AI penetration testing tools.
Qualifications
Qualification Required: Bachelor/Master Degree in either Computer Engineering or Information Science.
Preferred certifications: OSCP, CEH, ECSA, or other industry‑recognized security certifications.
Minimum experience: 5 to 6 years in Product Security.
#J-18808-Ljbffr
The Product Security Engineer at Whatfix is responsible for securing applications, cloud services, and infrastructure by embedding security across the Secure Software Development Lifecycle (SSDLC). This role focuses on conducting security assessments, identifying vulnerabilities, and driving remediation in collaboration with engineering teams.
The engineer will perform VAPT, threat modeling, and security architecture reviews while integrating security automation and best practices into development workflows. The role also involves working with product, engineering, GRC teams to ensure compliance with industry standards.
Job Description
Implement and enforce Secure Software Development Lifecycle (SSDLC) practices across all technology projects to proactively identify and mitigate security risks.
Conduct VAPT for applications, APIs, and desktop applications, aligned with OWASP Top 10 (Web & API Security).
Perform AI/LLM security testing based on OWASP Top 10 for LLMs.
Lead threat modeling (STRIDE) and security architecture reviews, ensuring adherence to CIA and AAA principles.
Perform secure code reviews and manual/automated security testing to identify vulnerabilities and drive timely remediation in collaboration with engineering teams.
Develop and maintain CI/CD security pipelines (e.g., Jenkins-based jobs) to integrate security into development workflows.
Support internal and external audits (ISO 27001, ISO 42001, SOC 2, FedRAMP).
Collaborate closely with product and engineering teams to drive the product security program objectives.
Communicate security risks effectively to diverse stakeholders and recommend mitigation strategies.
Participate in customer and vendor meetings to address security-related clarifications and issues as required.
Familiarity with Azure infrastructure, including compute, networking, storage, and basic security services.
Required Skills
Strong knowledge of OWASP Top 10 (Web, API, and LLM Applications) and CWE Top 25.
Experience in application, API, and microservices security.
Hands‑on experience with SAST, DAST, SCA, and secret scanning tools.
Familiarity with REST APIs and authentication frameworks (OAuth 2.0, OpenID Connect).
Experience with DevSecOps practices, CI/CD pipelines (e.g., Jenkins), and Git-based workflows.
Proficiency in programming languages such as Java or .NET, and scripting (e.g., Python).
Ability to effectively communicate security risks and drive remediation.
Strong ability to triage, prioritize, and validate findings from SAST, DAST, SCA, and secret scanning tools.
Good to have
Knowledge of containerization and orchestration (Docker, Kubernetes).
Expertise in threat modeling and secure architecture reviews.
Strong understanding of Agile and secure development practices.
Familiarity with security tools such as Checkmarx, Burp Suite, Nuclei and AI penetration testing tools.
Qualifications
Qualification Required: Bachelor/Master Degree in either Computer Engineering or Information Science.
Preferred certifications: OSCP, CEH, ECSA, or other industry‑recognized security certifications.
Minimum experience: 5 to 6 years in Product Security.
#J-18808-Ljbffr