The Information Security Engineer will secure the technical and operational aspects of Information Security for the organization, products and services; this person is essential to ensuring the ongoing protection of Sonatype’s critical role in the software supply chain. The role requires a solid understanding of Cloud security and experience with industry standard secure software development practices in order to contribute to the safe operation of cloud native solutions. This includes supervising and vulnerability management practices, incident response, reporting, and guide security improvements. As part of the Information Security team, you will be an Information Security partner and collaborate with technical teams and third-party vendors to integrate security controls and compliance proofing into our products, platforms, and processes.
Primary job duties:
Perform vulnerability scans, review output, provide initial analysis and remediation
Perform information security incident response and issue resolution as needed
Protect digital assets from unauthorized access, mitigate risks before a data breach occurs and provide security to ensure critical information is thoroughly protected
Implement, configure and upgrade security tools and systems
Evaluate, integrate and configure security tooling
Collaborate with technical teams, product managers and third parties
Respond to cyber security alerts from a variety of systems throughout the enterprise.
Security event handling including InfoSec tickets, investigating log alerts & other security events via supervising tools, event to incident conversion, etc.
Perform technical risk assessments for software, products & services used anywhere inside Sonatype (OEMs, tools, algorithms, libraries etc.)
Identify flaws within the organization's infrastructure and make risk-based recommendations. We are looking for consistent track record within the following areas:
3 + years of Software development experience or security related engineering
3 + years Development Operations (DevOps) experience
3 + years of Incident management/handling and response methods/escalation
3+ years Vulnerability management & scanning tools
Common security frameworks and protection methods
Technical risk assessment methods
DevSecOps processes
Cloud and infrastructure security Additional skills of interest to us:
Be conversant in web application security, ex: OWASP top 10
Be familiar with the principles of security architecture
Have experience with SAST, DAST, SCA, or related security testing frameworks/tools
Have experience with threat modeling frameworks and related industry tools
Have performed security reviews of architecture, source code, infrastructure, and/or SDLC processes
Have deployed vulnerability scans, either automated or custom.
Hold any of the following SANS Certifications: GSEC, GCIH, GCLD, GCID, GMON
Hold any (ISC)² Certifications such as: CISSP, CC, SSCP, CCSP, CAP, CSSLP Things that we are proud of:
2022 Frost & Sullivan Technology Innovation Leader Award: Sonatype earned Frost & Sullivan’s 2022 Global Technology Innovation Leadership Award in Development and Operations (DevOps) Security.
NVTC 2022 Cyber Company of the Year: Sonatype was named Commercial Cyber Company of the Year and a Capital Cyber Award-winner by the Northern Virginia Technology Council (NVTC)
2022 Annual Peer Award: Sonatype’s Nexus Lifecycle won a PeerSpot Silver Peer Award as a leading Enterprise Technology solution in the Software Composition Analysis category.
2022 Best in Biz Award: Sonatype CEO Wayne Jackson was recognized as a Silver Winner in the Best in Biz Awards' Executive of the Year category.
Tech Ascension Awards: Sonatype was named the Best DevOps Security Solution for Nexus Lifecycle and Nexus Firewall (Software Composition Analysis).
Builtin Best Places to Work: Sonatype was named to the Washington DC 100 Best Places to Work list and Washington DC Best Midsize Places to Work list.
Company Wellness Week - We shut down company operations for a week to enable all employees to spend time pursuing personal growth and enjoying much-needed and deserved rest.
Diversity & Inclusion Working Groups
Parental Leave Policy
Paid Volunteer Time Off (VTO) Additional Information
We are Sonatype, and we have assembled an outstanding team of employees, investors, and partners. We are proud to be recognized as a Deloitte Technology Fast 500 company for 2016. With more than 120,000 installations and counting, Nexus products are helping modern development organizations thoughtfully source, lead, assemble, and maintain open source and third-party components, so they can improve the quality, security, and speed of their software supply chains.
We are curious and constantly innovating without fear of failure. We are pursuing a huge and emerging market and seeking remarkably dedicated individuals to join us on our journey.
At Sonatype, we value diversity and inclusivity. We offer perks such as parental leave, diversity and inclusion of working groups, and flexible working practices to allow our employees to show up as their whole selves. We are an equal-opportunity employer, and we do not discriminate based on race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status. If you have a disability or special need that requires accommodation, please do not hesitate to let us know.