Principal Application Security Engineer

Security @ Autodesk

Our team of security experts helps Autodesk design, build, deploy and maintain secure products. We are embedding security in the full spectrum of how we build our products from inception, design, development, testing to how we are running them in the cloud as well as how we are responding to any existing or emerging threats to our products or the building blocks of our products and services. Our job is to be one step ahead of the bad guys and use expertise, technology, and other resources to thwart their efforts to compromise our products and the environment in which they operate. Our team keeps a single-minded focus on protecting our customer's data and their investment in our products by strengthening our applications, underlying services, and network.

Position Overview

We are looking for a passionate Principal Application Security Engineer to drive strategic direction, develop standards, guidelines, and policies for our application security program. You will lead "shift-left" security efforts to build security into the software development lifecycle (SDLC). You will drive a standardized set of security requirements and align policies to meet external regulatory requirements. Come practice and grow your security expertise at scale to keep Autodesk one step ahead of our adversaries!

Responsibilities

• Define our application security strategies, standards, policies, and roadmaps and champion their implementation
• Guide product stakeholders and teams to incorporate security into the SDLC
• Evaluate the threat landscape through architecture reviews, secure code reviews, and threat models
• Explore new and emerging technologies to identify security solutions to fill gaps or enhance capability and security value
• Review output from SAST, DAST, and SCA tools and provide feedback on results
• Establish security metrics and define KPIs for the application security program
• Assist PSIRT with analysis on vulnerability reports submitted by researchers and root cause analysis
• Assist in creation of security training and workshops for application teams

Minimum Qualifications

• 8+ years of experience in application security including web application experience, desktop application experience, and secure coding practices
• Familiarity with industry standards and frameworks, such as OWASP Top Ten Project, NIST Cybersecurity Framework, SSDF, SLSA, etc
• Expertise in threat modeling methodologies and tools
• Experience with PKI/certificates and cryptography
• Familiarity with Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis tools and methodologies
• Proficiency with at least one common programming language such as Python, Golang, Java, C/C++, or Javascript
• Experience with cloud computing technologies, especially AWS (Amazon Web Services) or Azure
• Experience with Git, Jenkins, Artifactory, or other similar technologies
• Strong communication skills with the ability to converse with multiple types of audiences
• Experience collaborating with distributed teams and other partners