Overview
Medallia is the pioneer and market leader in Experience Management. Our award-winning SaaS platform, Medallia Experience Cloud, leads the market in the understanding and management of experience for candidates, customers, employees, patients, citizens and residents.
We are more than a software company. We want to be known as a company that does the right thing, no matter the challenge or controversy. We are committed to creating a culture that values every person and every experience. Individual life experiences shape the way we interact with the world, which is why we encourage people to bring their whole selves to work each day. The strength of our global workforce is the most significant contributor to our success.
We believe: Every Experience Matters. Talent is Everywhere. All Belong Here.
At Medallia, we hire the whole person.
The Role and Team
At Medallia, the Product Security team's mission is to build customer trust in Medallia's products by setting the standards and principles for secure development and validating our security through continuous assessment.
At Medallia, we feel very strongly about protecting our clients' information, and are looking for like-minded engineers to solve complex security challenges while enabling the rapid growth of the business globally. This Product Security role is a key role to maturing our security program within the development lifecycle of our product portfolio and offers tremendous growth opportunities at a security conscious company on a high growth trajectory. As Medallia becomes a trusted partner to organizations across the globe and spanning several industry verticals, it is more important than ever that we continue to stay a step ahead in securing our applications, services and data.
The Senior Product Security Engineer role will work closely with our global engineering teams and ensure that we build secure and robust software in the world of SecDevOps and Agile. We are looking for a candidate who is passionate about security, has a strong technical background and loves creating innovative solutions to challenging problems.
Our Engineering Culture:
- We don't expect to be perfect, but we are always proactively seeking out ways to help ourselves and our teams to minimize pain points within our infrastructure and code base.
- We love technology and follow the latest technologies and sharing what we learn.
- We are not afraid of failing when we are experimenting with different technologies, development methodologies, and toolings.
- We build strong relationships with team members around the globe and are not afraid to challenge our team members and peers on enforcing good habits and best practices.
Some High-level Areas We're Investing In Include:
- Implementing RASP(Runtime Application Self-Protection) for all Medallia products.
- Scale proactive security controls to new environments (e.g. acquisitions).
- Application Security posture management[ASPM].
- API Security.
Responsibilities
- Perform application security assessments including architecture review, threat modeling, code review and penetration testing, Bug Bounty triaging on both web and mobile (iOS, Android, and React Native) platforms.
- Assist and enable engineering teams to adopt secure development practices.
- Provide software security advice to cross-functional teams including product, engineering, and services.
- Create and refine the Security Champions Program to align with Medallia's security goals and objectives.
- Extensive development experience to write automation scripts, conduct in-depth code reviews, identify and address security vulnerabilities, and integrate security features into the application lifecycle.
- Work closely with engineering and product teams to drive security issues to resolution.
- Develop and mature software security guidance including training materials, best practices, secure development standards.
- Automate security testing at scale by building and implementing static[SAST], dynamic analysis tools[DAST], SCA, and integrating security into the software development lifecycle using CI/CD process.
- Employ knowledge and deep understanding of the threat landscape, SaaS industry, and customer feedback to drive the pipeline of impactful security features.
Qualifications
Minimum Qualifications:
- 4 years of experience with software security assessments and remediation in Java (or other object-oriented languages).
- Demonstrated experience in at least two of the following areas: architecture review/threat modeling, penetration testing, and static code analysis automation.
- Demonstrated experience with tools and technologies used throughout secure SDLC (e.g., Checkmarx, Fortify SCA, Coverity, AppScan Standard/Enterprise, WebInspect, Netsparker, Burp Suite, Nessus, etc.).
- Have set-up or supported bug bounty programs.
- Advocated for security within teams by clearly articulating security risks and mitigation strategies, ensuring that security considerations are prioritized in product development and operational processes.
- Developed comprehensive security documentation, including threat models, security coding practices. Ensured documentation was clear, accurate, and useful for both technical and non-technical stakeholders.
Preferred Qualifications:
- 5+ years of experience with software security assessments and remediation in Java (or other object-oriented languages).
- Independent problem-solving capabilities and excellent communication skills.
- Drive to take ownership of projects and drive resolution without close supervision.
- Proven ability to work collaboratively across and within teams.
- CISSP or CSSLP certification.
- Knowledge of OSS scanning tools like Black Duck, SRC:CLR, Defensics, Snyk.
- Knowledge of Node.js or any modern JS framework (such as React.js), or with native mobile development. Knowledge of popular web development frameworks (AngularJS, React, Redux, Velocity, StringTemplate, jQuery, Jackson, THRIFT, etc.).
- Proficiency with Python, Ruby, or other scripting languages.
- Knowledge of microservices architecture and containers.
- Experience working in a compliance-focused environment Knowledge of FedRAMP (Federal Risk Authorization Management Program) Knowledge of FISMA (Federal Information Systems Management Act).
#J-18808-Ljbffr