Engineer IV, Product Security

College Board - Technology

Remote

About the Team

The College Board's Product Security team is an agile organization, embracing DevSecOps and cloud-native systems, and focused on improving speed and security of service delivery in support of an important mission. To enable this mission, the College Board is seeking an Engineer IV - Product Security to help drive the development of innovative and transformative security solutions in our DevSecOps and cloud transformation initiatives. The Engineer IV - Product Security is a highly technical and creative contributor to a bleeding edge cloud and application security team enabling the agile development of secure and reliable cloud-based solutions via strong partnerships and interactions with our Products Teams.

About the Opportunity

As a Product Security Engineer, you will support and manage a variety of projects in the Product Security team. In this role, you will both learn and introduce new security services, technologies, and technical solutions to secure our Products and platforms.

You will interact with different stake holders, product development leads, architects, Cybersecurity operations, Risk and Compliance teams and external partners/vendors such as ETS and various SaaS providers. You will review and adopt new innovative security solutions, make updates to existing solutions, negotiate alternative options and participate in building technical and release roadmaps.

As an Engineer IV, you will lead and mentor junior team members supporting their growth and development in Product Security concepts, tools and best practices.

In this role you will:

• Partner Program - Partnership Development (50%)

• Act as a liaison between Product Security teams (both in IT and outside of IT) and the Information Security Office via regular engagements with assigned Partner teams. Embed into planning and grooming sessions.

• Develop deep understanding of our Security Policies and Audit requirements in order to support assigned Partner teams, GRC Exceptions and Audit efforts (PCI, SOC2, ISO27001, GDPR, State Contract requirements)
• Create Risk Registers for your assigned products and communicate application risks and vulnerabilities to technical stakeholders.
• Lead application vulnerability reviews and remediation efforts. Develop deep skill sets in understanding, managing and determining exploitability of vulnerabilities to properly determine risk and priority.
• Work to gain a deep understanding of your assigned products' architectures, Supply Chain (Vendors, Partners, Third Party) Development Practices, CI/CD, GRC Exceptions, Release cadence in order to understand and support mitigation of security risks.
• Partner with Senior Team members to mentor developers through discussions, presentations, or hands on training sessions to demonstrate best practices in developing secure code and securing application infrastructure.

• Ensure all assigned products and applications adhere to the Product Security Framework requirements and work to remediate any gaps.

• Elevate Product Security 25%

• Work to promote, grow and enhance the Product Security Partners program to develop Security Champions and enable dev teams to shift left.

• Develop and deliver guidance and training sessions to grow Product Team's Secure Development LifeCycle skills and awareness.
• Grow skills to perform secure reviews of application architectures and security patterns as needed.
• Grow skills to develop threat models and risk assessments in conjunction with architects and software engineering staff to identify application security weaknesses and provide coaching on remediation strategies.

• Develop and deliver Secure Developer Training, Workshops, and training opportunities to cultivate a culture of Product Security

• Operations 25%

• Support implementing and operationalizing security tooling and common integrated development environments (AWS).

• Develop, understand, and provide input into metrics and KPI's for assigned partner teams.
• Participate in planning and grooming as part of agile ceremonies and manage assigned Epics.
• Develop hands on expertise with CI/CD and build pipelines with an understanding of quality and security gates; participate in integration of automated solutions to increase security in CI/CD.
• Work with broader ISO team on incident response and operational/strategic initiatives.
• Evaluate and promote new and existing security standards, tools, and solutions with a focus on automation and securing build pipelines for a shift left approach.

About You

You have:

• 3-5 years of progressively responsible, directly related experience
• Hands on knowledge of secure development practices, Secure Development LifeCycle and DevSecOps