Application Security Engineer

Founded in 2009, SendGrid is an industry-disrupting, cloud-based customer communication platform that solves the challenges of reliably delivering emails on behalf of our customers. We deliver over 33 billion emails a month for customers like Airbnb, Spotify, and Uber.

SendGrid's InfoSec team is seeking a technical resource with a strong background in software development and a deep knowledge of application security. In this role, you will work directly with the Engineering, Operations and Quality Engineering teams to test security posture of new and existing applications. You’ll be responsible to setting direction on how the company tests its software as it rolls out to production for security problems and ensure SendGrid remains the most trusted communications platform. You will work on a small, versatile and passionate team, tackling new problems as we continue to push our technology forward.

* Live by and champion our cultural values of Happy, Hungry, Honest, and Humble * Create custom tools to perform security tests on our infrastructure and within our code base * Develop program to test code in a static analysis environment as well as in the live environment * Work in concert with the InfoSec PM to build security into all phases of the software development lifecycle * We're an agile, fast growing company and this job description isn't meant to be a complete list of your qualifications or all the things you'll do.

* 3+ years of experience in application security related field (code reviews, application penetration testing, security engineering, operations, development) * Experience working in an enterprise SaaS company * Have created some custom tools to solve a problem not covered by open source or commercial software * Proficient in Go, Python, JavaScript, and Bash * Understand the use of fuzzing and where it does and doesn’t make sense * Reverse engineer patches to create exploits for vulnerabilities * Experience with systems and application hardening frameworks * Experience running threat models against applications * Ability to communicate complicated technical concepts to all level of technical expertise throughout the company * Able to understand, identify, and explain risks of common software security issues (e.g. OWASP Top 10) and demonstrate remediation techniques in various languages * Proficient in TDD methodologies and developing security-related tests * Familiar with automated build and deployment tools such as Jenkins or TravisCI * Proficient with various DB technologies such as MySQL/Postgres, MongoDB, Cassandra, etc. * Willing to be part of the on-call rotation to respond to security issues * Persuasive - Bring others to their point of view using logic, data, and emotion. Have a formal process and framework by which to make qualitative and quantitative points, not just using emotional appeals * Accountable - Being willing to answer for the outcomes resulting from their own choices, behaviors, and actions. Take ownership of situations that they're involved in * Self Motivated - Motivated to do or achieve something because of one's own enthusiasm or interest, without needing pressure from others * Focused - Achieve what they set out to do before launching new initiatives. Complete company-linked goals and tasks, not simply to be busy and active * Collaborative - A keen ability to support cross-functional projects and decisions. Gets energized from working within a team and cross-functionally to achieve the company's goals