Product Security Lead

Job Description:

Responsibilities

Policy and Governance:

• Own SDLC Policy:
  • Develop, maintain, and enforce Software Development Life Cycle (SDLC) security policies and procedures to ensure the integration of security into all stages of product development.
• Define Security Requirements for Products:
  • Collaborate with product teams to define and enforce security requirements for new and existing products, ensuring alignment with business objectives and compliance standards.

Collaboration and Advocacy:

• Collaborate with Product and Engineering Teams:
  • Work closely with product managers, software engineers, and other stakeholders to embed security practices into product design, development, and deployment processes.
• Collaborate with Product Security Champions:
  • Establish and manage a network of product security champions embedded in each product team to promote security awareness and best practices.
  • Provide training, resources, and mentorship to empower champions to act as security advocates within their teams.
• Foster a Security-First Culture:
  • Advocate for a security-first mindset across all product and engineering teams, promoting transparency and collaboration to position security as an enabler rather than a blocker.

Vulnerability Management and Tooling:

• Help Prioritize Vulnerability Information:
  • Assist in prioritizing and triaging vulnerability information for engineering teams, ensuring timely resolution of security issues based on risk assessment and impact analysis.
• Assist with SAST, DAST, and SCA Tooling Support:
  • Support the selection, implementation, and ongoing management of Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) tools.
  • Collaborate with engineering teams to integrate these tools into CI/CD pipelines, ensuring effective and automated security testing throughout the development lifecycle.
  • Provide guidance on interpreting results, triaging findings, and addressing identified vulnerabilities.

Compliance and Certifications:

• Lead Certifications (ISO 27001, SOC 2, etc.):
  • Drive efforts to obtain and maintain industry-standard certifications such as ISO 27001 and SOC 2 for products, overseeing compliance activities and audits.

Threat and Risk Management:

• Conduct Risk Modeling:
  • Perform risk modeling and analysis on products to identify potential threats and vulnerabilities, providing recommendations for mitigation strategies.
• Monitor Emerging Threats and Trends:
  • Stay informed about emerging threats, vulnerabilities, and attack vectors that could impact the organization’s products.
  • Proactively recommend and implement security measures to address new risks.

Testing and Incident Response:

• Lead Penetration Testing Efforts:
  • Manage and coordinate penetration testing activities on products, overseeing external vendors or internal teams to identify and remediate security vulnerabilities.
• Support Incident Response for Product Security:
  • Act as the primary point of contact for product-related security incidents, working with engineering, legal, and customer support teams to resolve issues efficiently.
  • Conduct root cause analysis and implement lessons learned to prevent future incidents.

Customer Engagement:

• Engage with Customers:
  • Address product-specific security concerns raised by customers, provide guidance on security features and controls, and contribute to customer-facing security documentation and responses.

Training and Awareness:

• Develop and Deliver Secure Development Training:
  • Create and deliver secure development training programs for developers, product managers, and other stakeholders to ensure security is a shared responsibility.
  • Keep training materials updated with the latest security trends, vulnerabilities, and mitigation techniques.

Metrics and Reporting:

• Drive Product Security Metrics and Reporting:
  • Define and track key metrics to measure the effectiveness of product security initiatives (e.g., vulnerability remediation times, penetration testing results, tool adoption rates).
  • Regularly report on the state of product security to leadership and stakeholders.

Architecture and Design:

• Contribute to Security Architecture Reviews:
  • Participate in architecture and design reviews to ensure security is considered from the ground up in all product development efforts.
  • Provide guidance on secure design patterns, cryptographic implementations, and other security-critical decisions.
  • Collaborate with third-party oversight teams to manage technology risks associated with vendors, with an emphasis on cloud computing and emerging technologies.

Cloud and API Security:

• Cloud Security:
  • Collaborate with engineering and DevOps teams to secure cloud environments (e.g., AWS, Azure, GCP) used by the organization’s products.
  • Ensure proper configuration of cloud security controls, including identity and access management, data encryption, and logging/monitoring.
• API Security:
  • Oversee the security of APIs, ensuring they are designed and implemented to protect against common vulnerabilities (e.g., OWASP API Top 10).
  • Work with engineering teams to implement secure authentication, authorization, and data validation practices for APIs.

Open Source Security:

• Manage Open Source Risks:
  • Oversee the use of open-source dependencies within products, ensuring risks are addressed through effective use of SCA tools.
  • Collaborate with engineering teams to remediate vulnerabilities in open-source components and monitor for emerging risks.

DevSecOps Integration:

• Integrate Security into DevOps Practices:
  • Work with DevOps teams to integrate security into CI/CD pipelines, ensuring security automation and scalability across development processes.
  • Promote DevSecOps principles to streamline security testing and remediation without disrupting development velocity.

Kaleris is an equal opportunity employer. We celebrate diversity and are committed to creating an inclusive environment for all employees.