Information Security Engineer
Sonatype is the software supply chain management company. We're on a mission to change how the world innovates by making software development easier. From running the world's largest repository of Java open-source components (Maven Central) to inventing componentized software development and then software supply chain management to creating the only solution that stops malicious open-source malware in its tracks, we're constantly leading the industry while helping thousands of customers manage open source every day.Already used by 15 million developers, we have lofty goals for our technology to be in the hands of every engineering team. And we need you to do that. Join us!Learn more at www.sonatype.com.The Information Security Engineer will work with teams to implement security best practices across our growing cloud products, services, and tools we use to run the business. They will help secure the technical and operational aspects of the organization’s products and services; this person is essential to ensuring the ongoing protection of Sonatype’s critical role in the software supply chain. The role requires a strong understanding of Cloud security and experience with industry standard secure software development practices in order to contribute to the safe operation of cloud native solutions. The successful candidate will work with technical teams to implement security best practices across our growing cloud products, services, and the tools we use to run the business. This includes monitoring and vulnerability management practices, incident response processes, reporting, and guiding security improvements. As part of the Information Security team, you will be an Information Security stakeholder and collaborate with technical teams and third-party vendors to integrate security controls and compliance proofing into our products, platforms, and processes.
Primary Job Duties:
- Coordinate vulnerability scans and penetration testing, review output, provide initial analysis and manage remediation.
- Perform information security incident response and issue-resolution as needed.
- Protect digital assets from unauthorized access, mitigate risks before a data breach occurs and provide security to ensure critical information is thoroughly protected.
- Implement, configure and upgrade security tools and systems.
- Evaluate, integrate and configure security tooling.
- Collaborate with technical teams, product managers, and third parties.
- Respond to cyber security alerts from a variety of systems throughout the enterprise.
- Security event handling including InfoSec tickets, investigate log alerts & other security events via monitoring tools, event to incident conversion, etc.
- Perform technical risk assessments for software, products & services used anywhere inside Sonatype (OEMs, tools, algorithms, libraries etc.)
- Identify security flaws within the organization's infrastructure and make risk-based recommendations for remediation.
Job Requirements:
- 3+ years of Cloud, networking or security operations roles
- 3+ years of Incident management/handling and response methods/escalation.
- Experience with Vulnerability management & scanning tools.
- Common security frameworks and protection methods.
- Common cloud-security design patterns and methodologies.
- Technical risk assessment methods.
- DevSecOps processes.
- Experience with Cloud and infrastructure security best practices
Preferable Skills of Interest:
- Be conversant in web application security, ex: OWASP top 10.
- Be familiar with the principles of security architecture.
- Have experience in Disaster Recovery / Business Continuity planning and execution.
- Have experience with threat modeling frameworks and related industry tools.
- Have performed penetration tests and/or security reviews of infrastructure.
- Have deployed vulnerability scans, either automated or bespoke.
- Hold any of the following SANS Certifications: GSEC, GCIH, GCLD, GCID, GMON.
- Hold any (ISC)² Certifications such as: CISSP, CC, SSCP, CCSP, CAP, CSSLP.
- Hold AWS Certifications including: AWS Certified Security - Specialty (SCS-C02)
Things That We Are Proud Of:
- 2022 Frost & Sullivan Technology Innovation Leader Award: Sonatype earned Frost & Sullivan’s 2022 Global Technology Innovation Leadership Award in Development and Operations (DevOps) Security.
- NVTC 2022 Cyber Company of the Year: Sonatype was named Commercial Cyber Company of the Year and a Capital Cyber Award-winner by the Northern Virginia Technology Council (NVTC)
- 2022 Annual Peer Award: Sonatype’s Nexus Lifecycle won a PeerSpot Silver Peer Award as a leading Enterprise Technology solution in the Software Composition Analysis category.
- 2022 Best in Biz Award: Sonatype CEO Wayne Jackson was recognized as a Silver Winner in the Best in Biz Awards' Executive of the Year category.
- Tech Ascension Awards: Sonatype was named the Best DevOps Security Solution for Nexus Lifecycle and Nexus Firewall (Software Composition Analysis).
- BuiltIn Best Places to Work: Sonatype was named to the Washington DC 100 Best Places to Work list and Washington DC Best Midsize Places to Work list.
- Company Wellness Week - We shut down company operations for a week to enable all employees to spend time pursuing personal growth and enjoying much-needed and deserved rest.
- Diversity & Inclusion Working GroupsParental Leave PolicyPaid Volunteer Time Off (VTO)