Security Engineer III

Company Overview

Fanatics is building a leading global digital sports platform. We ignite the passions of global sports fans and maximize the presence and reach for our hundreds of sports partners globally by offering products and services across Fanatics Commerce, Fanatics Collectibles, and Fanatics Betting & Gaming, allowing sports fans to Buy, Collect, and Bet. Through the Fanatics platform, sports fans can buy licensed fan gear, jerseys, lifestyle and streetwear products, headwear, and hardgoods; collect physical and digital trading cards, sports memorabilia, and other digital assets; and bet as the company builds its Sportsbook and iGaming platform. Fanatics has an established database of over 100 million global sports fans; a global partner network with approximately 900 sports properties, including major national and international professional sports leagues, players associations, teams, colleges, college conferences and retail partners, 2,500 athletes and celebrities, and 200 exclusive athletes; and over 2,000 retail locations, including its Lids retail stores. Our more than 22,000 employees are committed to relentlessly enhancing the fan experience and delighting sports fans globally.

The Role

We are seeking an Application Security Engineer III to help build and advance the application security program within the Fanatics Ecosystem organization. This role is critical in driving secure development practices, performing hands-on security assessments, and collaborating with engineering teams to protect both customer-facing products and internal platforms. The ideal candidate is a strong technical expert with deep experience in application security and is capable of identifying and mitigating risks across a diverse technology stack. This role will work closely with Information Security teams across operating companies (Commerce, Collectibles, Fanatics Betting and Gaming, etc.) This role reports directly to the Senior Manager, Security Engineering.

What You'll Do: 

• Conduct penetration testing and vulnerability assessments to identify and evaluate potential security risks in applications, systems, and networks.
• Develop and maintain security testing procedures and methodologies, including manual and automated testing.
• Work with development teams to remediate security issues found during testing, providing guidance and support as necessary.
• Collaborate with other security professionals to design and implement security controls and processes.
• Stay up-to-date on the latest threats, vulnerabilities, and security trends to ensure that our organization is prepared to address emerging threats.
• Collaborate on security assessments on third-party software and services used by the organization when necessary.
• Participate in incident response activities as needed.
• Implement and manage application security tools such as DAST, SAST, and SCA. 
• Provide training and awareness to educate developers on secure coding practices.
• Partner with engineering by conducting code reviews and api testing to identify vulnerabilities and provide recommendations as needed. 

What We're Looking For: 

• Minimum of 4 years of experience in application security, including penetration testing 
• Strong understanding of web application security principles and OWASP Top 10 vulnerabilities
• Experience with integrating security into CI/CD pipelines. 
• Familiarity with security testing tools such as Burp Suite, Nessus, or similar tools 
• Knowledge of secure coding practices and ability to work closely with development teams to promote secure coding principles
• Demonstrated experience leveraging Infrastructure as code tools such as Terraform or Ansible.
• Experience with identity management protocols (e.g., OAuth, SAML, OpenID Connect). 
• Ability to communicate effectively with technical and non-technical stakeholders.
• Ability to prioritize and balance multiple projects simultaneously.
• Ability to collaborate and work in a team environment.
• Proven experience drafting documentation such as standards, policies and architecture diagrams. 
• Experience with scripting languages such as Python or Bash is a requirement.
• Relevant certifications such as OSCP, GPEN, GWAPT are a plus.

In New York, the salary range for this position is $155,000 to $193,750, which represents base pay only and does not include short-term or long-term incentive compensation. When determining base pay, as part of a final compensation package, we consider several factors such as location, experience, qualifications, and training.