Director, Application Security

Bonterra exists to propel every doer of good to their peak impact. We measure that impact against our vision to increase the giving rate as a percentage of GDP from 2% to 3% by 2033. We know that this goal is lofty, but we are confident that the right technology and expertise will strengthen trust in the sector, allowing the social good industry to accelerate growth and reach peak impact. Bonterra's differentiated, end-to-end solutions collectively support a unique network of over 20,000 customers, including over 16,000 nonprofit organizations and over 50 percent of Fortune 100 companies. Learn more at bonterratech.com.

Summary

Do you love to stay up to date on the latest application security attacks, trends, and news? Do you love to try and poke holes in applications? Are you the type that tries to see if you can put a SCRIPT tag in a first name field? Are you detail oriented, passionate, and committed to continual development? If so, read ahead!

What You'll Do

• Report directly to the CISO while heading up Application Security to champion a comprehensive application security program founded on the same engineering principles as our R&D counterparts including secure development throughout the CI/CD pipeline.
• This role will own Application Security across all of Bonterra, and will span public cloud, data center, and hosting infrastructure security.
• Work with the CISO to strategically develop a program to manage security across all the SaaS applications sold by Bonterra. Build out a roadmap to address gaps in coverage, staffing, and future requirements as we scale the enterprise.
• Utilize excellent communication and interpersonal skills to develop strong and productive partnerships with our key stakeholders, especially R&D, Product, M&A, and IT, enabling the InfoSec teams to regularly leverage these partnerships to address critical and systemic Application risks as well as evangelizing and driving application security inside the company.
• Scale our Application security programs through automation, software, tools, training, and initiatives vs being mostly dependent on scaling horizontally through large headcount asks.
• Review and confirm risk and impact of application vulnerability findings from a variety of sources like SAST, DAST, IAST, SCA, pentest reports, and bug bounty program submissions.
• Perform activities such as: threat modeling, application security reviews, third-party integration reviews, source code level assessments, security testing, open and internal sourced component lifecycle management, and vulnerability triage across various applications.
• Become an expert at leveraging quantitative data and meaningful metrics to guide program decisions, educate stakeholders, measure program operations, and overall application health.
• Run centralized tracking and remediation of Application vulnerabilities including prioritization, scheduling, management, and metrics reporting. Work collaboratively and proactively with R&D, Product, & Operations teams and drive issue resolution.
• Identify recurring classes of security problems, find the root cause, and develop generalized and creative solutions to reduce the occurrence of application vulnerabilities at scale.

Requirements:

• 5-7 years experience in software development roleswith 2-3 years in a position of responsibility (team lead, etc)including experience designing and building software-based solutions at scale using at least one popular programming language C#, Java, Python, Ruby, etc.)
• An additional 5-7 years of experience in Application security with an emphasis on secure software development, code analysis, and application vulnerability management
• Excellent and professional communication skills (written and verbal) with an ability to articulate complex topics in a clear and concise manner.
• You demonstrate excellent and pragmatic judgement in prioritizing security efforts to mitigate the appropriate risks.
• Strong knowledge of secure design practices such as threat modeling and common software vulnerabilities such as CWE Top 25 and OWASP top 10, and using that knowledge to identify security issues through code review, static/dynamic analysis, and common security tools.

What sets you apart:

• Experience with and knowledge of securing cloud services such as those built on AWS and/or Azure
• M&A (Mergers and Acquisitions) Product Security experience is a plus.
• You have a strong application security background with a focus on scalable approaches to product security.
• Experience with information security frameworks & controls. Knowledge of NIST, ISO, SOC 2, PCI, and/or CIS Controls.

Compensation

The range displayed on this job posting reflects the minimum and maximum target for new hire salaries for the position across all US locations. Within the range, individual pay is determined by work location and additional factors, including job-related skills, experience, and relevant education or training.

Base pay is one part of the Total Package that is provided to compensate and recognize employees for their work, and in addition to benefits this role may be eligible for discretionary bonuses/incentives, and equity.

US base salary range: $170,000 - $180,000

Please note that the compensation range specified in this job posting is applicable to candidates based in the United States. For international applicants, actual salary offers may vary based on the local market compensation standards and will be determined in accordance with regional considerations, including but not limited to applicable laws, cost of living, and industry norms.

Our Culture:

Our team is made up of industry experts and advocates who are 100% committed to supporting the doers of social good. We are currently undergoing an effort to create the vision and values that embody our collective organization and embrace the individuals who make up our community.

Our comprehensive and competitive benefits include:

• Generous Flexible Time Off (FTO) Policy

• Equity for ALL regular, full-time employees from individual contributors to management - share in our success!

• Up to 15 paid company holidays including some commemorating social justice events and self-care

• Paid volunteer time

• Resources for savings and investments

• Paid parental leave

• Paid sick leave

• Health, vision, dental, and life insurance with additional access to health and wellness programs.

• Opportunities to learn, develop, network, and connect

We are committed to being an equal opportunity employer and evaluate qualified applicants without regard to race, color, religion, sex, pregnancy (including childbirth, lactation and related medical conditions), national origin, age, physical and mental disability, marital status, sexual orientation, gender identity, gender expression, genetic information (including characteristics and testing), military and veteran status, diversity of thought and any other characteristic protected by applicable law.