Application Security Engineer
Postman is the world’s leading collaboration platform for API development. Postman's features simplify each step of building an API and streamline collaboration to help create better APIs—faster. More than 15 million developers and 500,000 organizations worldwide use Postman today.
Our customers are doing more and more astounding things with the Postman product every day, and as a result, we are growing rapidly.
About the Team
After our exciting $5.6 Billion Series D Valuation, we are set to innovate and scale our Application Security function rapidly in order to ensure we continue to live by our responsibility to provide services which are secured and we promote a secured API and general development culture throughout the globe. Postman’s Application Security team is comprised of other Security Researchers and Software Engineers who are highly conscious about security and pursue the continuous effort to improve ourselves with regular security-related discussions, planning, and training while also possessing a general air of being security aware.
As a result, Postman is looking for experienced Security Researchers and Security Engineers to join the Application Security team. You would be responsible for maintaining and improving the security of the services provided by Postman.
This position is remote and reports to the Application Security Manager.
What you get to do every day
- Identify critical flaws in our web applications and cloud infrastructure that could be exploited.
- Collaborate with peers to write and review technical proposals, architectural diagrams, application code and cloud formation.
- Reduce assessment time by maintaining specifications and tooling. Improve the scope of our assessments by adding new techniques and new categories of vulnerability assessments.
- Educate the organisation to pre-emptively develop secure services and to prevent security regressions by organising talks and preparing written articles.
- Use automated and manual testing techniques and methods to gain a better understanding of the environment and reduce false negatives.
- Compile and track vulnerabilities over time for metrics purposes within the organisation, along with vulnerabilities on all technologies we use and technologies provided to us by our SaaS vendors.
- Review and define requirements for information security solutions in the context of our products and set guidelines to meet them.
- Work closely with the team to build systems that can eliminate and protect against and eradicate entire classes of vulnerabilities.
What you bring to the role
- Experience working as a Security Engineer or working as a Software Engineer with deep involvement in securing modern web applications.
- Ability to understand complicated information-flows along with the ability to use one or more high-level programming languages.
- Experience reviewing source code for vulnerabilities and conducting threat modelling / risk assessments.
- Proficient with common developer tools and processes such as Github, CI/CD, containers and orchestration, IaaS/PaaS, APIs, Websockets, Databases, Front-End and Back-End systems.
- Experience with tools in common application security categories such as SAST, SCA, WAF etc
- Understanding of web security mechanisms (such as SOP, CORS, CSP, Subresource Integrity, and same-site cookies).
- Strong understanding of various authentication/authorization protocols e.g. OAuth, SAML and JWT.
We offer competitive salary and benefits, and a flexible schedule working with a fun, collaborative team. Enjoy full medical coverage, unlimited PTO, and a monthly lunch stipend. (Yes, seriously. We want you to eat well wherever you’re at.) Plus, our wellness program will help you stay healthy from your location with fitness-related reimbursements. Our frequent and fascinating virtual team-building events will keep you connected, while our donation-matching program can support the causes you care about. We’re building a long-term company with an inclusive culture where everyone can be the best version of themselves, and we want you to be part of it. Join us, why dontcha?