CLEAR transforms what is uniquely you your fingerprints, your face, your eyes into a secure, biometric key to frictionless experiences. We are creating a world where travel is effortless, where accessing your office building is as simple as walking in, & where shopping is as easy as walking in & out of a storewithout ever once showing an ID or credit card. CLEAR currently powers secure, frictionless customer experiences in nearly 40 U.S. airports & venues. With over 3 million members so far, CLEAR is the identity platform of the future, today.
Were looking for an outstanding & passionate Senior Application Security Engineer. In this role, your primary focus will be ensuring, enforcing, & maintaining our high standards of security, specifically with regards to member data.
This role is hands on & technical while requiring a heads-up nature to identify gaps & drive the creative application of state-of-the-art security practices & controls. CLEAR is a fast & nimble company, so the ideal candidate will be able to leverage automation & data analysis to embed continuous security practices into our development & operational workflows. The application security program must be designed to ensure that any software developed or acquired meets these stringent standards while enabling rapid innovation to meet the ever-changing needs. Successful candidates will be security evangelists who can translate security concepts into language that is meaningful to many audiences, including business & technical leaders.
What you will do:
- Work with Software Engineering & DevOps leaders to build CLEARs next generation build & deploy (CI/CD) system. Define technical requirements, deploy & manage tooling, build processes to handle application security issues before they are released.
- Partner with the companys Software Engineering, DevOps, & IT teams to ensure all new & existing software has been fully vetted & remain secure. Perform code review, security risk assessments, manual security testing, automated security testing, threat modeling, & educate developers on security best practices for security issues.
- Lead internal & external penetration tests of CLEARs most critical assets, as well as triage issues with internal stakeholders for remediation.
- Establish security standards & specifications to balance the needs of a more secure product offering with the needs of the business. Ensure all internet facing, backend services, data stores, & supporting infrastructure are built & maintained with security in mind.
Who you are:
- 5-8 years of experience in software development & implementing security into organization wide SDLC processes.
- Minimum of 8 years experience (in excess of degree requirements). Minimum 2 years relevant architecture experience with expert level knowledge of application systems design & integration.
- Has excellent interpersonal communication skills & can take very technical issues & make them understandable to all audiences.
- Personal passion for security & cutting edge security concepts.
- Strong understanding of Software Security Architecture & Design, SDLC, CI/CD, & the ability to clearly articulate best practices for application security.
- Experience writing & pentesting web applications & web services.
- Proficient in reading many different programming languages.
- Able to evaluate, deploy, & manage application security tools (e.g. DAST, SAST, RASP, WAF) & build strong vendor relationships.
- Experience with a public cloud based provider (Amazon Web Services, Microsoft Azure, or Google Cloud Compute)
- Demonstrable knowledge of TCP/IP, HTTP, RESTful APIs, application security, & experience supporting service-oriented, asynchronous, & distributed application architectures.
- Previous experience on a Security team, coordinating responses to security incidents and/or writing & presenting application security assessment reports.
- Knowledge of containers & scheduling frameworks (e.g Kubernetes, Docker Swarm, DCOS, ECS).
- Experience integrating security practices into continuous integration tools & pipelines.
- Well-rounded background in host, network, & application security including knowledge of internet security issues & threat landscape
- Candidates must be able to explain all vulnerabilities & weaknesses in the OWASP Top 10, WASC TCv2, & CWE 25 to any audience, & discuss effective defensive techniques.
- Ability to listen for nuances, dig into details in order to understand systems deeply, & articulate technical details & risks to business leaders.
- Familiarity with one or more industry standards & regulations such as PCI, NIST 800-53, FedRAMP & ISO27001.
- Strong programming & scripting experience in C#, C++. Java, Python, BASH, Go, or something similar.
- Participates in CTFs or actively contributes to the security community through exploitation development.
- Bachelor's degree or higher in Computer Science.