CommandLinkRemote
Senior Product Security Engineer
United States of America
Full Time
4 weeks ago
H1B Sponsor Likely
Key skills
Vulnerability ManagementSASTDASTSCAContainer ScanningSnykSemgrepTrivyWizQualysCI/CD PipelinesGitHub ActionsGitLab CISecrets ManagementHashiCorp VaultAWS Secrets ManagerAzure Key VaultStatic Credential AuditingCredential RotationThreat ModelingSTRIDEPASTACloud SecurityAWSAzureGCPIAMNetwork Security GroupsStorage PoliciesLoggingKubernetesDockerVaultGitHubGitLabSaaSSDLCCI/CDLeadershipNetwork Security
About this role
Command|Link is a global SaaS Platform providing network, voice services, and IT security solutions. They are seeking a Senior Product Security Engineer to take ownership of the product security posture, elevate security practices, and integrate security into the software development lifecycle.
Responsibilities:
- Own and advance Command|Link's vulnerability management program end-to-end, from tooling and deployment through SLA definition and enforcement
- Define and drive quarterly vulnerability targets, including the goal of zero critical vulnerabilities outstanding across all engineering teams each quarter
- Partner with engineering leads to integrate vulnerability scanning into CI/CD pipelines and create visibility dashboards that hold teams accountable
- Triage, prioritize, and track remediation of findings across our cloud infrastructure, application layer, and third-party dependencies
- Own and drive our company-wide secrets management program, maintaining and enforcing clear standards for how credentials are created, stored, rotated, and retired
- Partner with engineering teams to meet regular credential rotation targets and enforce consistent hygiene practices across the organization
- Champion the adoption of dynamic secrets management and modern identity-based access patterns as the default over long-lived static credentials
- Implement controls and processes to maintain ongoing visibility into credential health and reduce the risk surface associated with credential mismanagement
- Lead and deepen our threat modeling framework, ensuring security evaluation is woven into the SDLC well before features reach production
- Develop threat modeling templates, playbooks, and training materials that enable engineering teams to self-serve on security reviews for new features and services
- Conduct threat models for high-risk features, new service designs, and major architecture changes, producing actionable remediation guidance
- Ensure security requirements derived from threat models are tracked as first-class engineering deliverables
- Act as the internal security advocate, growing our Security Champions program and deepening security ownership across each engineering team
- Deliver security awareness training, conduct secure code review workshops, and build the documentation and runbooks that scale your impact beyond your direct work
- Partner with Product and Engineering leadership to ensure security is a named requirement in product roadmap planning
- Support and advance our SOC 2 and other compliance postures by ensuring technical controls are implemented, documented, and auditable
- Identify, assess, and communicate security risk in business terms, helping leadership make informed trade-off decisions
- Takes on additional responsibilities and projects as needed to support the success of the team and organization
Requirements:
- 8+ years of experience in security engineering, application security, or product security roles, with at least 3 years in a senior or lead capacity
- Demonstrated experience building or maturing security programs in high-growth SaaS environments, with a track record of driving measurable improvements
- Hands-on experience with SAST, DAST, SCA, and container scanning tools (e.g., Snyk, Semgrep, Trivy, Wiz, Qualys, or equivalents)
- Proven ability to integrate scanning tooling into CI/CD pipelines (GitHub Actions, GitLab CI, or similar) and drive cross-team remediation at scale
- Deep familiarity with secrets management solutions such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault
- Experience auditing codebases and infrastructure for static credentials and leading large-scale rotation and migration efforts
- Proficiency in structured threat modeling methodologies (STRIDE, PASTA, or equivalent) and experience delivering programs that engineers actually use
- Ability to translate threat models into concrete, prioritized engineering requirements
- Strong understanding of cloud security posture across AWS, Azure, and/or GCP, including IAM, network security groups, storage policies, and logging
- Comfort working in containerized, microservices environments (Kubernetes, Docker)
- Exceptional ability to communicate risk and security requirements to both technical and non-technical audiences
- A track record of driving security outcomes through influence rather than mandate, building trust with engineering teams rather than friction