Role Overview:
We are seeking a Senior API Security Engineer with extensive technical expertise and leadership skills to contribute to enterprise-wide API security initiatives at our client. The ideal candidate will serve as a subject matter expert in API security, performing threat modeling, managing, monitoring, and reporting on API security risk reduction. This role also includes evangelizing API security principles and controls, providing technical advice to application teams, and ensuring that API security standards are maintained across the organization.
Primary Responsibilities:
- Governance & Implementation: Perform ongoing governance and follow-up with API owners to ensure the implementation of threat-based security requirements.
- Security Standards Development: Develop, deliver, and maintain up-to-date API security standard requirements and design patterns.
- Vulnerability Assessment: Validate the implementation of API security controls against outputs from vulnerability testing tools to ensure auditability and verifiability.
- Technical Advisory: Act as a technical advisor on API security to application development teams.
- Security Evangelism: Advocate for API security design principles and best practices across the organization.
- Subject Matter Expertise: Be recognized as an API security subject matter expert within the company.
Required Security and Technical Experience:
- API Development & Security: Hands-on experience in developing and securing web APIs and web applications, including REST, SOAP, and gRPC.
- Security Testing: Direct experience with security testing of web services and APIs.
- Threat Modeling: Experience leading threat modeling exercises for applications and services.
- Risk Management & Security Architecture: Strong understanding of risk management, security architecture, and secure software development lifecycle (SDLC) practices.
- Identity & Access Management: Deep knowledge of API identity and access management controls, such as OAuth 2.0, OIDC, and JWT.
- Cryptography: Solid understanding of cryptography controls, including data at rest, in motion, and in use.
- Industry Standards: Familiarity with industry standards and frameworks, including NIST 800-53, NIST CSF, OWASP, and SANS Top 25.
- Programming Experience: Experience with Java, JavaScript, and mobile application development.
- Database Knowledge: Familiarity with database architectures, including Oracle, SQL, and NoSQL databases.
Desired Skills:
- Mentorship: Experience mentoring teams on application security and secure development practices.
- DevOps & Cloud: Experience with DevOps processes in a Cloud/SaaS environment.
- Cloud Security: Experience architecting, securing, and operating in one or more public cloud environments, such as AWS, Google App Engine, Azure, and Oracle Cloud.
- Service-Oriented Architectures: Experience with service-oriented architectures and web services security.
- Emerging Programming Languages: Proficiency with one or more emerging programming languages, such as Go or Rust.
- Certifications: Information security professional certifications, such as SANS GIAC or CISSP, are encouraged.
This position offers a unique opportunity to work on cutting-edge API security initiatives at our client, with a chance to influence and shape the organization’s security posture. If you have a passion for API security and meet the qualifications listed above, we encourage you to apply.