Principal Product Security Engineer
The Role
Under the direction of the VP of Product Security, this role is a key member for day-to-day operations of Product Security at Aspen Technology. This role will help protect our clients, enable teams to deliver secure development, and position us for future security needs. This thought leader will help drive mitigation of risk thru activities such as developing Threat Models, driving Risk Assessments, reviewing alignment of standard controls to mitigate risks in products, overseeing vulnerability tracking, ensuring security documentation and compliance with security lifecycle activities for product security releases. This could include supporting compliance documents, secure patch release, security incidents, security communications, the security champion program, and product security verification/validation activities. This role will work closely with development teams, senior leaders, and teams across the organization.
Responsibilities
- Supports the design, implementation, and oversight of Product Secure Development Lifecycle. Including aspects such as security requirements, secure architecture/design, risk assessment, threat models, security scanning, triage and vulnerability management, and product security validation/verification.
- Administers product security practices to product teams, technology, and security champions across the organization.
- Drive Product Security efforts to resolve challenges, enable automation, and impact organization security culture.
- Maintains a deep understanding of current issues in the realm of information security. Subscribes to major industry newsgroups and mailing lists and assesses the impact of all emerging issues on systems and practices at Aspen Technology.
- Maintains broad understanding of information security including ISO27002, NIST and other information security frameworks and regulations.
- Experience with Application/Product Security, Risk Assessment, Threat Models, Secure Architecture/Design, Security Scanning. (SAST, DAST, SCA, cloud security configuration scanning)
- Experience with cloud solutions such as Azure and AWS
- Experience with security policy, procedures, tools, services, and cloud security models.
- Experience with Application Security Best Practices such as web security, cloud security, pen testing, fuzz testing, security coding guidelines, security architecture/design principles, CVSS, STRIDE, DREAD.
- Experience with Application development technologies, processes, and best practices. For example: Agile, RUP, CICD, DevSecOps.
Requirements
- Bachelor’s degree (B.A./B.S.) or equivalent in computer science or technical equivalent discipline from an accredited college or university required.
- 8+ years of experience in IT required.
- 5+ years of experience in an information security role or experience with security and development teams.
- Knowledge of information security regulatory requirements for privacy, secure by design, and defense in depth.
- Maintains broad understanding of information security including ISO27002, NIST and other information security frameworks and regulations.
- Experience with Application/Product Security, Risk Assessment, Threat Models, Secure Architecture/Design, Security Scanning. (SAST, DAST, SCA, cloud security configuration scanning)
- Experience with cloud solutions such as Azure and AWS
- Experience with security policy, procedures, tools, services, and cloud security models.
- Experience with Application Security Best Practices such as web security, cloud security, pen testing, fuzz testing, security coding guidelines, security architecture/design principles, CVSS, STRIDE, DREAD.
- Experience with Application development technologies, processes, and best practices. For example: Agile, RUP, CICD, DevSecOps.
Qualifications
- Preferable exposure to the following: IEC 62443-4-1, IEC 62443-4-2, NIST 800-53, ISO 27001, ISO 27002, Cloud Security Alliance (CSA), Cybersecurity and Infrastructure Security Agency (CISA), SANS, OWASP, CWE 25, ethical hacking, and AI Security best practices.
- Desired domain knowledge and/or certification: CISSP, CISA, CCSP, CSSLP, CEH, SANS GIAC, security certification from AWS or Azure.
Skills
- Demonstrated ability to plan, design, develop, deploy, and maintain application security best practices.
- Ability to assume high levels of responsibility and to work with a minimum of day-day supervision.
- Ability to cooperate effectively with people from all organizational levels and build consensus through negotiation and diplomacy.
Benefits
- The salary range for this role is $120,900.00 - $151,100.00. This range represents what we in good faith believe is the range possible for base compensation for this role at the time of this posting. We may ultimately pay more or less than the posted range based on several factors. This range may be modified in the future.
- This role is also eligible for bonus or variable incentive pay.
- We offer a comprehensive benefits package including paid time off, charitable giveback day, medical/dental/vision insurance, and retirement benefits to eligible employees.