Principal Application Security Engineer
LendingClub (NYSE: LC) opened in 2007 with one simple mission: create a more efficient, transparent and customer-friendly alternative to the traditional banking system that offers creditworthy borrowers lower interest rates and investors better returns. Today, we’re the world’s largest online credit marketplace, and we’re radically changing the way lending operates. We’re proud of the recognition we’ve received, including being named a World Economic Forum Technology Pioneer, a CNBC Disruptor 50, and one of The World’s 10 Most Innovative Companies in Finance by Fast Company. We’re conveniently located in downtown San Francisco, California.
About the Team
The Application Security Team plays a key role in protecting all software developed at LendingClub. This core team of application security engineers works closely with and in support of a large team of security focused software engineers all of which work to ensure LendingClub builds and maintains secure software for its customers and partners. As the Principal Application Security Engineer, you will consulting and reviewing key projects, promoting good security practices, and solving classes of security problems through engineering solutions, for both front and back end software. In addition, this team integrates tooling and automation, expert review and training throughout the Software Development Lifecycle (SDLC) to ensure security is prioritized at each step to identify potential vulnerabilities and design flaws.
The ideal individual contains a blend of application development experience and application securityexperience. You can get your hands dirty to solve problems directly in the code and execute swiftly on complex problems. In addition, you can help build security solutions that scale and move at the speed of commerce—for example automated testing and reporting on risk. Lending Club is an Agile, tech company, and Application Security will work without constraints to both address risk and enable innovation.
The Principal Application Security Engineerreports to the Application Security Director and partners with the broader Information Security Program within the Technology organization of LendingClub.
- Become an expert in the Lending Club software stack to understand points of weakness and opportunities for application security solutions.
- Engineer and maintain application security tools and services to ensure quality within LendingClub’s SDLC.
- Enable automated security testing at scale to measure vulnerability density across LendingClub applications.
- Collaborate with internal partners on addressing systemic security issues.
- Participate in security reviews to ensure timely evaluation per risk based approaches.
- Evangelize security within the development organization through awareness proliferation activities such as mentoring, engineer onboarding training, Security Champ collaboration, and development and procurement of security related events such as Capture the Flag competitions and Red Team activities.
- Manage vulnerability discovery and remediation efforts from sources like static, dynamic, and crowd-sourced web application testing technologies and report on their success.
- Maintain an active membership and participation in the greater AppSec community.
- Assist in the evaluation, selection, onboarding and management of AppSec vendors and consultants.
- Commit to and develop AppSec testing / unit testing requirements for security features and functions.
- 7+ years in the field of software security.
- 7+ years software engineering experience (Java focus).
- Experience implementing, running and maintaining tools and/or processes to reliably identify security issues such as SQLi, XSS, CSRF, and business logic flaws across large code bases (SAST, DAST, PenTesting, Security Unit Testing, etc.)
- Knowledgeable regarding browser security controls (CSP, XFO, HSTS, etc.), OWASP Top 10, and authentication infrastructure (SAML, OAUTH).
- Knowledgeable regarding back end security topics such as secret management and service authentication.
- Comfortable dealing with ambiguity and conflicting priorities.
- Strong ethics and understanding of ethics in information security.
- Good project management skills.
- Superb communication skills.
- B.S. Computer Science or similar combination of education and experience.
- Ability to write complex software in multiple languages.
- Experience leading secure software development classes.
- Written your own security tools.
- Presentation experience.
- Experience using JIRA.