Product Security Engineer

Job Summary

The Product Security Engineer at iHerb will be integral in enhancing our Secure Development Lifecycle processes and security automation technologies. This role involves driving the security hardening strategy across our product offerings and proactively responding to current and emerging security threats. You will contribute significantly to the Product Security team, collaborating with global development teams to define new security capabilities and partnering with leaders to implement company-wide security initiatives.

Job Expectations

• Drive cross-functional projects and establish cutting-edge security development lifecycle practices.
• Lead security design reviews and threat modeling for new and existing services at iHerb.
• Evaluate, prototype, implement, and operate security-focused tools and services (DAST, SAST, SCA...).
• Develop new secure architecture standards, frameworks, and patterns spanning multiple layers.
• Understand and analyze emerging security threats, determining applicability to iHerb and proactively implementing centralized mitigations.
• Maintain a strong knowledge of current security threats and operational best practices.
• Participate in our security assessment, penetration testing, and bug bounty programs.
• Take part in security incident response.

Required Knowledge, Skills and Abilities

• Demonstrated technical foundation in security.
• Solid understanding of common application and infrastructure security vulnerabilities and mitigations (OWASP Top 10, CWE 25…).
• Proficiency implementing SDL process, technology, and automation in a DevOps environment.
• Experience with large-scale web applications and microservices, including API design, access management, authorization, authentication, data protection, and encryption.
• Excellent problem solving, critical thinking, collaboration, and communication skills.
• Experience driving application security training, security champions, and awareness campaigns.
• Active contributor to the security community (research, open source, publications…).

Equipment Knowledge

• Knowledge of major programming languages and frameworks (e.g., Python, C# .NET, JavaScript, Node.js, Java...).

Experience Requirements

Generally requires three (3) plus years of technical security experience at top-tier software companies, including experience with security products, threat modeling, security design, security architecture, cryptography, mobile security, and broader cloud computing technologies.

Education Requirements

Computer Science / Engineering degree or equivalent experience with an ability to translate technical vulnerabilities into organizational risks.

Key skills/competency

• Secure Development Lifecycle (SDL)
• Security Automation
• Threat Modeling
• Application Security
• Cloud Security
• OWASP Top 10
• SAST/DAST/SCA
• Incident Response
• Cryptography
• Microservices Security