Tide - Associate Director - Application Security - Vulnerability Management (8-12 yrs)

ABOUT THE TEAM :

The Tide Security Engineering team is made up of three core areas: Product Security, Threat Detection & Response, and Identity.

Product Security (this role!) consists of application and cloud security experts. Their mission is to protect the products we build, covering everything from secure design reviews to threat modelling and penetration testing, ensuring security is embedded from the ground up.

Threat Detection & Response focuses on protecting the company by building a robust detection and automation platform. We're proactive in our defense, constantly hacking ourselves to improve our security posture and staying ahead of emerging threats. Our goal is to make Tide resilient against the ever-evolving threat landscape.

Identity is responsible for managing Tide's staff identity platform, ensuring that access to systems and infrastructure is secure, seamless, and aligned with modern security practices. The team uses strategies like zero trust, multi-factor authentication, and granular role-based access controls to safeguard our internal operations.

While each area has its own focus, collaboration is key - it's why we share the same Slack channel and hold our standups together as one cohesive team, ensuring alignment and seamless communication across all security functions.

ABOUT THE ROLE :

First and foremost you will be passionate about security and resilient software development processes. You will enjoy hunting for vulnerabilities in our web and mobile applications and working with our engineering teams to remediate them strategically. You will be comfortable explaining security issues and concerns to product owners, engineers, VPs and executives and love the feeling you get when this results in them releasing a more resilient product. You will be a keen follower of all things Infosec and constantly be on the lookout for ways to apply new industry trends, tools and automations to your day-to-day role.

As a Senior Product Security Engineer you'll :

- Regularly dive deep into mobile, web app technologies in order to understand feature development and proactively hunt for vulnerabilities

- Be proficient in securing cloud-native applications, ensuring that security best practices are applied consistently across our cloud environment

- Be proficient in threat modelling and guide developers in secure design principles to prevent vulnerabilities from being introduced in the first place

- Help remediate vulnerabilities through strategic initiatives, writing patches, or creating understandable and actionable vulnerability tickets.

- Be the subject matter expert across a wide range of security areas, particularly in Application Security.

- Make security invisible when possible, believing that gatekeeping and blocking product teams should be avoided in favor of enabling secure development.

- Mentor and coach junior engineers, sharing your knowledge to help raise the security bar across the organization Leverage automation and security tools to seamlessly integrate security into our CI/CD pipelines, ensuring vulnerabilities are caught early without disrupting development.

WHAT WE ARE LOOKING FOR :

- You have a breadth and depth of knowledge across AppSec; you're expected to understand topics like why private keys should be stored in the Secure Enclave, the differences between URL Schemes and Universal Links, what resigned URLs are in the context of S3 and the safest storage mechanisms for modern browsers.

- You know Burp Suite (or your favorite attack proxy) inside and out; bonus points if you've written or contributed to an extension that enhances its functionality.

- You have excellent spoken and written communication skills to articulate vulnerabilities clearly and persuasively, advocating for their remediation even when faced with competing production pressures.

- As a passionate senior security engineer, you have a blog, public speaking engagements, bug bounty profile, or a Git repository showcasing your work.

- You're comfortable writing proof-of-concept (POC) scripts to demonstrate your findings and their potential impact, as needed.

- You have hands-on experience with securing cloud-native applications, ensuring that best practices are consistently applied.

TIDEAN WAYS OF WORKING :

- At Tide, we champion a flexible workplace model that supports both in-person and remote work to cater to the specific needs of our different teams.

- While remote work is supported, we believe in the power of face-to-face interactions to foster team spirit and collaboration. Our offices are designed as hubs for innovation and team-building, where we encourage regular in-person gatherings to foster a strong sense of community.