SaaS Security Assessment Engineer
Santa Clara Valley (Cupertino), California, United States
Apple is seeking a Software-as-a-Service (SaaS) Security Assessment Engineer within the Supplier Trust Program. We are looking for an experienced security professional who is passionate and knowledgable about SaaS, Cloud, and Web Security. The candidate can bring new ideas and strategy to newly established program and is forward “outside the box” thinking. This position will be responsible for conducting security assessments on 3rd Party SaaS products and Cloud-based services, as well as ensuring secure implementation of these products and services. There is also overlap for infrastructure level Cloud Security Assessments. This is not a “check-the-box“ focused role, this position requires a broad mix of technical expertise and business acumen coupled with polished communication to ensure Apple is adopting and implementing SaaS and Cloud-based services which meet our unique security requirements and standards. *Location Preferences:* Pacific Time Zone (Bay Area) Austin Boulder
- * 5+ years of work experience with Web Application/SaaS Security and Public Cloud (ie; AWS, GCP, Azure) Security.
- * 3+ years experience evaluating system architectural designs, data flows, technical security implementations, especially for SaaS Applications and Systems hosted on cloud platforms.
- * 3+ years of work experience conducting information security consulting engagements.
- * Experience engaging with both third-parties and internal customers regarding security.
- * Experience in leveraging and configuring Dynamic Application Security Testing (DAST) tools and writing custom checks.
- * In-depth knowledge of the security assessment processes and lifecycle with the ability to identify potential improvement areas and gaps in existing processes.
- * In-depth knowledge identifying and protecting against web application and web service security vulnerabilities including those found in the OWASP Top 10 and CWE Top 25.
- * Threat Modeling and Design Reviews.
- * Strong knowledge of Application Security, Network Security, Crypto, and Identity Management.
- * In depth knowledge on Application and Cloud Security industry standards, trends, threats, vulnerabilities, and technology frameworks.
- * Excellent written and oral communication skills, including experience communicating to both technical and non-technical audiences.
- Helpful Qualifications:
- * Hands-on experience with Penetration Testing Web applications, SaaS products, and/or Cloud environments.
- * Contributions to the security community such a research, published CVEs, bug-bounty recognitions, open-source projects, blogs or publications.
- * Industry Certifications such as GWAPT, GPEN, GCPN, OSWE.
- * Experience in Third Party Risk Management (TPRM)
- * Independently perform risk-based security assessment of Apple Third-Party SaaS providers.
* Work with internal and external stakeholders to independently perform security assessments to deliver security assurance on third-party SaaS applications with potential for Cloud-level security assessments. * Conduct security architecture review of Third-Party SaaS applications built on cloud and emerging technologies. * Provide clear and detailed risk assessment and remediation guidelines for Third-Party Suppliers and Apple business teams. * Report underlying security issues and propose enhanced security protections and/or counter-measures. * Develop and innovate our Supplier Security Strategy to ensure Apple works with the most mature and secure Suppliers available. * Author and Maintain Third Party security standards and guidelines. * Research new and emerging threats in the SaaS space to ensure Apple’s assessment methodology is keeping pace with security trends. * Deliver program enhancements including automation, assessment tooling, and penetration testing. * Provide guidance to prospective Suppliers on Apple security requirements including remediation and potential feature enhancements. * Execute security design and implementation review of onboarded 3rd Party SaaS Applications and web-services throughout the Supplier lifecycle. * Execute security review of Apple’s implementation of 3rd Party SaaS. * Partner with procurement and legal to enhance Third Party security agreements and contracts.
Education & Experience
Bachelor’s Degree or equivalent experience. Certifications from organizations such as Offensive Security, GIAC, and ISC2 are a plus. Prior professional consulting experience in a client-facing capacity is a plus.