[Hiring] Sr. Product Security Engineer @YipitData

Role Description

We are seeking a Sr. Product Security Engineer to manage the day-to-day execution of the organization's vulnerability management program and provide hands-on support for secure software development lifecycle (SSDLC) and CI/CD security initiatives.

• Own the end-to-end vulnerability lifecycle:
  • intake, triage, assignment, remediation coordination, verification, and closure across all finding sources (dependency scanning, secrets scanning, IaC scanning, container scanning, SAST, DAST, and manual assessments).
• Enforce severity-based SLAs, escalation paths, and ownership expectations.
• Track remediation timelines and follow up with engineering teams to ensure findings are resolved within policy requirements.
• Aggregate findings centrally from all scanning tools and sources into a unified tracking system.
• Manage exception and risk acceptance workflows.
• Produce vulnerability posture reports and dashboards.
• Coordinate with engineering teams on remediation prioritization.
• Drive reduction of aging findings through proactive follow-up, workflow automation, and escalation when remediation stalls.

CI/CD Security Control Support:

• Assist the DevSecOps Lead with implementation of baseline security controls.
• Help integrate controls into repositories, CI/CD pipelines, registries, and deployment workflows.
• Validate that controls are functioning as intended.
• Assist with onboarding new teams to the secure pipeline.

SSDLC Support:

• Support the DevSecOps Lead in maintaining and socializing the Secure Software Development Lifecycle policy and implementation guide.
• Help maintain templates, configuration standards, and setup guidance for teams adopting SSDLC controls.
• Assist with reference repository maintenance.
• Participate in office hours, reviews, and implementation support sessions.

Reporting, Metrics, and Audit Support:

• Own vulnerability management metrics and reporting.
• Contribute to broader security metrics.
• Prepare audit-ready evidence related to vulnerability management.
• Support the DevSecOps Lead in preparing leadership updates and cross-functional communications.

Qualifications

• 3–6 years of experience in security operations, vulnerability management, application security, DevSecOps, or a related security engineering role.
• Hands-on experience with vulnerability management workflows.
• Working knowledge of common scanning tools and finding types.
• Familiarity with Git-based workflows, CI/CD systems, and cloud-native development environments.
• Experience producing security metrics, dashboards, and reports for technical and leadership audiences.
• Strong organizational and follow-through skills.
• Clear written and verbal communication skills.

Requirements

• Experience with vulnerability aggregation platforms or security finding management tools.
• Familiarity with GitHub Enterprise, GitHub Actions, or similar CI/CD platforms.
• Experience supporting SOC 2 or similar audit and compliance requirements.
• Exposure to ticketing system integrations (e.g., Jira).
• Familiarity with supply chain security concepts.
• Relevant Certifications (preferred, not required): GSEC, Certified DevSecOps Professional (CDP), CISSP, CSSLP, or SSCP.

Benefits

• Flexible work hours.
• Flexible vacation.
• Generous 401K match.
• Parental leave.
• Team events.
• Wellness budget.
• Learning reimbursement.
• Equity in the compensation package.