Senior Engineer - Product Security

Senior Engineer – Product Security 

College Board - Technology  

Location:  This is a fully remote role. Candidates who live near CB offices have the option of being fully remote or hybrid (Tuesday and Wednesday in office). 

Type: This is a full-time position 

About the Team  

The College Board Product Security team is a close knit and enthusiastic group of 8 technologists with a thirst for knowledge in all things security and cloud. We collaborate closely daily to investigate and solve problems and have strong alignment with our product teams to be a step ahead in securing the organization’s suite of products. We are an agile organization, embracing DevSecOps and cloud-native systems, and are focused on improving speed and security of service delivery in support of our important mission. Our team comes from a wide variety of backgrounds as well as experience within the security space and we work to ensure everyone on the team has a voice.  

Product Security Engineers work closely with Information Security, Governance and Compliance and Product teams to achieve product and security business objectives. They support the implementation of secure development practices, threat modelling, architecture, design, vulnerability assessments and security verification, as well as defining the security standards and managing operations for a variety of products and security tools. 

About the Opportunity   

As Senior Engineer - Product Security, you will frequently interact with a variety of technology and business stakeholders to provide hands on risk remediation or recommendation solutions, including secure patterns and mitigation strategies. You will develop a deep understanding of our product landscape and lead the design and implementation of innovative security solutions. This includes enhancing existing systems, proposing new approaches, evaluating alternatives, and driving alignment across technical and release roadmaps.   

As a Senior Engineer, you will lead and mentor junior team members supporting their growth and development in Product Security concepts, tools and best practices.  

In this role, you will: 

Partner with Programs - Partnership Development (50%) 

• Act as a liaison between product development teams (both within and outside of technology) and other information security teams via regular engagements with assigned partner teams.  

• Embed into product team’s planning and grooming sessions.  

• Develop deep understanding of CB’s security policies and guidelines, audit requirements (SOC2, ISO27002, PCI, PII) and GRC exceptions to support compliance and security work 

• Create threat models and risk registers for your assigned products and communicate application risks and vulnerabilities to technical & nontechnical stakeholders.  

• Lead application vulnerability reviews and remediation efforts through developing deep skill sets in understanding, managing and determining exploitability of vulnerabilities to properly determine risk and priority.  

• Work to gain a deep understanding of your assigned products’ architectures, supply chain (vendors, partners, third party) development practices, CI/CD, GRC exceptions, and release cadence in order to understand and support mitigation of security risks. 

• Lead efforts to mentor developers through discussions, presentations, or hands on training sessions to demonstrate best practices in developing secure code and securing application infrastructure.  

• Ensure all assigned products and applications adhere to the Product Security Framework requirements and work to remediate any gaps.  

Elevate Product Security (25%) 

• Drive and lead efforts to promote, grow and enhance the Product Security Partners program to develop security champions and enable development teams to shift left.  

• Lead development of innovative guidance and training sessions to improve secure SDLC skills and awareness and cultivate a culture of security 

• Coach product teams and junior team members on performing secure reviews of application architectures and document and advertise new security patterns as needed.  

• Partner with junior team members and foster their ability to develop threat models and risk assessments to identify application security weaknesses or lack of maturity in development processes and provide coaching on remediation strategies.  

• Innovate and stay current with industry trends to support continuous improvement of our Partner Program. 

Drive Operations (25%) 

• Drive implementing and operationalizing security tooling and common integrated development environments (AWS).  

• Drive development of key metrics and KPI’s to measure product security impact and report on assigned partner teams security posture and maturity of practices.   

• Participate in planning and grooming as part of agile ceremonies and manage assigned epics. 

• Provide hands on expertise with CI/CD and build pipelines to further enhance quality and security gates; lead integration of automated solutions to increase security in CI/CD. 

• Work with broader Information Security team on incident response and operational/strategic initiatives.  

• Lead evaluation and improvement of new and existing security standards, tools, and solutions with a focus on automation and securing build pipelines for a shift left approach.  

About You  

You Have: 

• 5-8 years of progressively responsible, directly related, hands on experience in application security or DevSecOps 

• Strong hands-on knowledge of secure development practices, secure SDLC, DevSecOps, pen testing and threat modeling 

• Solid experience with securing AWS services, AWS secure architectures, application security and cloud applications, including software supply chain and micro service architecture 

• Must have a thorough understanding of web protocols TCP/IP, UDP, HTTP, HTTPS, SSL, TLS, DNS, etc. 

• Hands on experience of reproducing and remediating common application vulnerabilities (OWASP/SANS) such as cross-site scripting (XSS), session hijacking, SQL injection, CSRF (Cross-Site Request Forgery), OWASP Top 10, and other attack vectors.  

• Solid hands-on experience securing CI/CD, Node.js, React, Restful Api’s and common development frameworks (Angular, Bootstrap, Node, Struts, Spring, ASP.NET MVC, etc.) 

• Experience with key development tools/systems (artifact management, version control, work tracking, secrets management, NPM, build and deployment tools, etc.)    

• A passion for security along with an inquisitive and continuous improvement mindset 

• Excellent communication and collaboration skills with an ability to present ideas and problem-solve cross-functionally 

• Proven track record of training and coaching less experienced teammates in new technologies or concepts, eager to help others grow their skills to enable the success of an entire team 

• Authorization to work in the United States 

About Our Process   

• Application review will begin immediately and will continue until the position is filled   

• While the hiring process may vary, it generally includes: resume and application submission, recruiter phone/video screen, hiring manager interview, performance exercise such as live coding, a panel interview, a conversation with leadership and reference checks.    

About Our Benefits and Compensation 

College Board offers a competitive benefits and compensation program that attracts top talent looking to make a difference in education. As a self-sustaining non-profit, we believe in compensating employees equitably in relation to each other, their qualifications, their impact, and the relevant market.  

The hiring range for a new employee in this position is $150,000 to $163,000.

College Board differentiates salaries by location so where you live will narrow the portion of this range in which you can expect a salary.  

Your salary will be carefully determined based on your location, relevant experience, the external labor market, and the pay of College Board employees in similar roles. College Board strives to provide our best offer up front based on this criteria.  

Your salary is only one part of all that College Board offers, including but not limited to:    

• A comprehensive package designed to support the well-being of employees and their families and promote education. Our robust benefits package includes health, dental, and vision insurance, generous paid time off, paid parental leave, fertility benefits, pet insurance, tuition assistance, retirement benefits, and more 

• Recognition of exceptional performance through annual bonuses, salary growth over time through market increases, and opportunities for merit raises and promotions based on increased scope of responsibility 

• A job that matters, a team that cares, and a place to learn, innovate and thrive 

You can expect to have transparent conversations about benefits and compensation with our recruiters throughout your application process. 

About Our Culture  

Our community matters, and we strive to practice and improve our culture daily. Here are some headlines:  

• We are motivated to positively impact the educational and career trajectories of millions of students a year 

• We prioritize building a diverse and inclusive team where every employee can thrive, and every voice is heard 

• We welcome staff to join any or all six of our affinity groups: ARISE (Alliance for Asian Retention, Inclusion, Success, and Engagement; DIASPORA (Alliance for Pan-African Success and Achievement); Pride (alliance for LGBTQ+ staff and allies); Resilience (alliance for Native staff and advocates); SALSA (Staff Alliance for Latinx Success and Achievement); and WIN (Women’s Impact Network) 

• We value learning and growth; we offer formal and informal ways to lead through your superpowers, sharpen your strengths, and meet your development goals 

• We know that our impact is strongest together. Our College Board Cares program offers all staff up to $1,000 annual match against partner non-profit organizations 

• We offer a transparent approach to promotions and merit raises, annual performance-based bonuses, and how to grow your career here over time 

#LI-REMOTE

#LI-AP1