About ShipHero:

Hello. We are ShipHero (https://shiphero.com). We have built a software platform entrusted by hundreds of e-commerce companies, large and small to run their operations and we continue to grow. About US$5 billion of e-commerce orders are shipped a year via ShipHero. Our customers sell on Shopify, Amazon, Etsy, eBay, WooCommerce, BigCommerce and many other platforms. We’re driven to help our customers grow their businesses by providing a platform that solves complex problems and is engineered to be reliable and fast. We are obsessed with building great technology, that is beautiful, easy to use and loved by our customers. Our culture also reflects our ethos and belief that by bringing passionate, talented and great people together - you can do great things.

Our team is fully remote, with most of our engineers currently spread over the Americas but have been building out teams in Europe as well. We communicate regularly using video chat and Slack and put a strong emphasis on asynchronous work so people have large chunks of uninterrupted time to focus and do deep work.

Making sure you and the rest of the company are able to focus while being at work is really important to us. You can read our internal guide on how we communicate from our website: https://shiphero.com/careers/c...

About the role:

We are looking for an experienced Software Security Engineer who will help us develop and enhance our in-house security tooling for automation. Your duties will include advanced development in Python/Django/Flask, but also a day-to-day security workload, such as security analysis and monitoring, enabling and improving existing security controls, vulnerability management, and participating in security incidents and reviews.

You should have a solid Software Engineering background with strong experience in Application Security and Web Technologies.

Responsibilities:

• Point of contact for all conversations related to Application Security Best practices for teams of engineers developing new features: participate in brainstorming, make sure Security imperatives are visible at all times, perform risk assessments, document all decisions in ADRs, greenlight definitions as Security gatekeeper, keep track of all future commitments and enforce accountability with the teams.
• Manage our Bug Bounty Program for Vulnerabilities: Act as PoC for security researchers, coordinate maintenance of proper Security environment, triage findings, create the corresponding tickets with required details, make sure they are properly prioritized and visible for Engineers managers, define the economical value of findings and process payment.
• Act as coordinator for our security incident process whenever is required: open communication channels with stakeholders, make sure the defined process is followed, give visibility to the leadership of ongoing status, validate potential solution or mitigation process, lead post-mortem revision and keep track of all commitments and enforce accountability with the responsible.
• Lead annual pen-testing process: evaluate 3rd party candidates, prepare economical proposals and collaborate with hiring decisions. Coordinate preparation of the proper pen-testing environment, coordinate pen-testing calendar, lead communication between pen-testers and internal team, document findings for prioritization and assignment to internal teams, coordinate re-testing, validate fixes and lead process to their final stages.
• Implement and maintain SIEM for application logs, configure alerts for real-time incident detection, leverage current threat detection tools, and document and facilitate log archiving for forensic activities.
• Automate dependencies vulnerability status reporting, prioritize patching, help engineering teams with upgrades (classification, development and deployment), and be proactive on highly critical vulnerabilities with a hands-on approach to patching.
• Collaborate with current SAST implementation, work on improving reporting for better visibility of vulnerabilities, plan mitigation roadmap and follow its implementation.
• Act as PoC with our Compliance Officer to answer all requests that affect Engineering in general and Application Development in particular.

Requirements:

• 5+ years as a Security Engineer.
• 5+ years as a Software Engineer using Python.
• Experience in automating security tasks and configuring security tools (SIEM, Web Scanners).
• Practical experience with Linux, Apache, Nginx, Gunicorn, Django, Flask, React, and MySQL.
• Practical experience using modern cloud deploy pipelines such as Infrastructure as Code (Terraform), Software Development Lifecycle, Continuous Integration and Delivery (Git & Atlassian Suite).
• Competence in spoken and written English.

Perks:

• $2.500 so you can buy any equipment you need to be happy at your job
• 20 days paid vacation + new year & Christmas
• Conference days don't count against your vacation days, we want you to stay up-to-date
• We will pay for courses & conferences, if you learn we all learn
• Salary range is $75.000 - $120.000 / year depending on experience and location