iHerb is a multi-channel retailer of vitamins, nutrition, supplements and natural products. With over 30,000 products on our website and distribution to over 150 countries we are disrupting the E-Commerce industry with our low costs and quick delivery. Located in the business capital of Orange County, iHerb-Technology is less than 15 minutes from the beautiful California coast. We are a thriving company, only looking for the best talent. We are looking for dedicated employees to help expand our business.
We are a highly distributed e-commerce company with several different in-house developed systems that deal with the huge volume of data flowing throughout the system. We are looking for an Application Security Engineer to be a key liaison between the software development teams and the security team. Making sure the developers stay on top of their game for creating secure code, reviewing and testing code and builds from a security perspective, and following up on findings
- You Can monitor and maintain Application Security training and related awareness campaigns: Champion the Security & Privacy Awareness Program for Application Development
- You are able to participate, review and advise on the security of new web applications, API’s and Mobile Applications.
- You can manage remediation of any findings from internal or external assessments
- You are able to support our compliance programs (such as PCI) by helping implementing and documenting controls, examining evidence for compliance to standards.
- You are able to run DAST/SAST Scans (Acunetix, Burp Suite, Nessus, Etc.)
- You can conduct Threat Modeling / Risk Assessments in accordance with policies and Standards, document, and work with business units to remediate findings.
- You have the ability to run scans and penetration tests.
- You have ran Vulnerability Scans (Kubenertes/Docker, Database, PCI/ASV)
- You have 3-5 years of experience with Application and Network Security
- You have a Bachelor’s Degree in Information Technology, Information Security, Computer Science, or related field.
- Advanced industry certification strongly desired, e.g. SANS GIAC (CEH - Certified Ethical Hacker or GXPN - Exploit Researcher and Advanced Penetration Tester, are preferred), Offensive Security Certified Professional (OSCP), CompTIA Security+, CISSP,...
- Familiar with SQL Server Administration and Queries
- Possess an understanding of PCI Compliance and EU GDPR Requirements
- Provide support for strategic business process/reengineering consulting as appropriate and work on multiple technically complex high profile projects.
- Demonstrate an understanding of key IT operational policies, processes and methodologies applicable to governance, risk management and compliance.
- General understanding of security fundamentals and general security technologies, including operating systems, network security (firewalls, VPNs, etc.), security event management, business continuity, physical security, identity management, directory services, etc.
- Deep knowledge of OWASP Top 10 (2013 and/or 2017 Version) vulnerability detection and mitigation
- Familiar with security of LANs, WANs, Firewalls, VPN, MPLS and related Network Applications
- Knowledge of Active Directory, DDNS, Group Policy, Microsoft Windows Server and Desktop operating systems
- Knowledge of Linux based Operating Systems, Logging and Troubleshooting
What we offer:
- An opportunity to get involved and build the tech foundation in a highly elastic distributed system deployed across 17 different datacenters in 3 different clouds.
- Competitive compensation
- Growth potential. We rapidly advance team members who have an outsized impact.
- Flexible vacation policy.
- Equity award program