Director, Product Security Engineering

What You’ll Do

• Serve as the primary architectural lead for high-priority product security initiatives, ensuring the strategic alignment and timely delivery of impactful programs.
• Be a key advisor to the overall strategy and roadmap of the Product Security Program.
• Drive the expansion and maturation of the Navan S-SDLC program across the organization.
• Review product designs for security defects, perform threat modeling and recommend remediations.
• Work with engineers to identify the tradeoffs of different solutions and recommend the ideal design to meet security requirements.
• Design and develop security tools and processes to be leveraged by development teams.
• Work closely with engineering to sustain processes and/or convert manual integrations to automated pipeline activities.
• Lead the definition and development of custom Security as Code solutions.
• Provide training, guidance, and assistance to development teams early in the SSDLC.
• Cultivate security ownership in the product teams.
• Bring visibility to product/application vulnerabilities in a consistent manner to enable appropriate prioritization and remediation.
• Help build the Red Team and PSIRT functions.

What We’re Looking For

• Proven experience performing threat modeling and architecture reviews for complex applications.
• Proven experience delivering critical org-wide product security initiatives.
• Proven experience performing application, cloud and mobile penetration testing in high risk environments like financial or healthcare companies.
• 8-10+ years of Technical Product Security experience with a proven track record of system-wide impact in SSDLC tooling, automation, and threat modeling/attack surface analysis.
• Proven ability to mentor junior engineers and lead cross-functional initiatives in multifaceted and highly technical organizations.
• Ability to provide pragmatic security advice for web applications, mobile applications, and cloud software.
• Experience working in Agile development with experience in technologies such as:
  • Cloud environment (AWS, or similar)
  • Application security testing tools (SAST, DAST, IAST, SCA, or similar.)
  • Infrastructure as code (Terraform, or similar)
  • Java Spring Framework (3+ years), Hibernate or similar ORM technologies, JavaScript/CSS, and Angular
  • Containers (Docker, Kubernetes, or similar)
  • Continuous integration (Jenkins, Github Actions or similar)
  • Integration of Security testing tools into CI pipelines
  • Defect tracking (Jira,or similar.)
  • Source code management (GitHub, or similar.)
• In-depth knowledge of common application & network protocols, cryptographic primitives, authentication & authorization protocols, and common security threats, such as attack techniques, evasive techniques, and preventative & defensive methods.
• Deep knowledge of cloud operational models and secure SaaS architecture in a containerized microservices world.