Senior Application Security Engineer II

At Shutterfly, we make life's experiences unforgettable. We believe there is extraordinary power in the self-expression. That's why our family of brands helps customers create products and capture moments that reflect who they uniquely are.

This is an exciting time for Shutterfly and we are looking for a Senior Application Security Engineer to join our team! In this position you will be an integral part of a developing and expanding Application Security program. The Senior Application Security Engineer is a vital role that helps to provide assurance for Shutterfly's critical applications and securely enables business functions. We're looking for a person who is just as passionate about uncovering a security vulnerability as you are about educating developers on how to fix it. Your focus will be on helping to build and maintain an Application Security program that can be used as the benchmark for our industry.

What You'll Do Here:

• Manage our bug bounty program including triage, assessing impact, risk scoring (CVSS), helping to locate the vulnerable code, providing mitigation guidance, performing thorough re-testing, and refining program policy and scope as needed.
• Vulnerability Management: Identify, triage, and remediate application vulnerabilities (SAST, SCA, IAST) using automated tools or manual testing.
• Web Penetration Testing: assisting with internal web pen tests and coordinating with 3rd party testers.
• Threat Modeling \& Risk Assessment: Lead threat modeling exercises and perform risk assessments for new and existing applications.
• Incident Response: Collaborate with incident response teams to investigate and remediate application-related security incidents.
• Security Tooling: Evaluate, implement, maintain and decommission security tools and platforms to support application security efforts (SAST, SCA, DAST, IAST, RASP, WAF, ASPM, CNAPP, CSPM).
• Continuous Improvement: Keep up-to-date knowledge of relevant security threats, mitigations and security best practices.
• Secure SDLC: Define and implement secure development practices, including code reviews, static/dynamic analysis, and CI/CD pipeline integration.
• Provide guidance and recommendations to software engineering teams to implement effective security measures to mitigate risks.
• Become a Subject Matter Expert and top technical resource to engineers around the organization. Help engineers reproduce vulnerabilities, understand their impact, document issues, mitigate or retest the effectiveness of a fix, etc.
• Perform and lead code reviews of critical PRs and code changes.
• Security Architecture \& Design: Partner with engineering teams to design secure systems and applications, ensuring security is built-in from the ground up. Initiate and lead design, architecture, and solution reviews.
• Mentorship \& Leadership: Mentor junior security engineers and developers on secure coding practices and security principles. Build relationships with stakeholders and business leaders across the organization.
• Cross-Functional Collaboration: Work closely with product, engineering, DevOps, and compliance teams to align security with business goals.

Required Qualifications:

• Bachelor's degree in computer science, cybersecurity, or related technical field.
• Proficient in one modern programming language (preferably Java) and can review code in most major languages.
• Strong analytical and problem-solving abilities with a risk-based security approach.
• Advanced user of Burp Suite Pro, bonus if you have created custom extensions in Java or Python and have used or modified existing extensions.
• Excellent communication and collaboration skills, able to work across IT, engineering, and business teams.

Preferred Qualifications:

• Full stack web development experience within an active security program.
• Experience managing a bug bounty program.
• Have a security certification that demonstrates proficiency in web assessments, secure coding, and professional report creation (For example: OSWA, OSWE, GWAPT, GWEB).
• Submitted reports to bug bounty programs or VDPs, and you've found a CVE along the way.
• Strong command-line and scripting skills (bash, zsh, Python) on Linux and Mac.
• Enjoy attending security conferences and occasionally participate in CTFs.
• Spend time on cyber security training platforms (HackTheBox, TryHackMe).
• Work with engineering teams to develop secure code libraries.
• Experience deploying and managing a RASP solution (e.g. Contrast, Prevoty) on multiple tech stacks.
• Capable of rapidly learning and integrating emerging tools and platforms with minimal supervision.

Supporting a diverse and inclusive workforce is important to Shutterfly not only because it directly reflects our value of Embracing our Differences, but also because it's the right thing to do for our business and for our people. We welcome all applicants and evaluate them based on their qualifications. Learn more about our commitment to Diversity, Equity, and Inclusion on our Career Site.

The compensation package for this role is based on multiple factors, such as job level, responsibilities, location, and candidate experience. The base pay ranges included below are specific to the locations listed, and may not be applicable to other locations.

California : [$128,000-181,250]

Connecticut and New York: [$128,000-165,750]

Colorado, Illinois, Minnesota and Washington: [$128,000-153,000]

Nevada: [$120,250-165,750]

Maryland and New Jersey: [$138,250-165,750]

Hawaii : [$120,250-144,750]

This position may be eligible for a bonus incentive, health benefits, a 401K program, and other employee perks. More details about our company benefits can be found at https://shutterflyinc.com/benefits/.

This opportunity can be remote, but candidates must reside in a state in which Shutterfly is registered to do business. This includes all US states except District of Columbia, North Dakota, Mississippi, Rhode Island, Vermont, and Wyoming.

This position will accept applications on an ongoing basis until filled.

#SFLYTechnology