Job Url: https://www.indeed.com/jobs?q=full+stack+developer&l=United+States&sc=0kf%3Aattr%28DSQF7%29%3B&radius=25&start=110&vjk=485fcebf59ae5d80 Job Description: Principal Application Security Engineer- job post Shutterfly 3.5 3.5 out of 5 stars Remote $127,000 - $187,000 a year - Full-time Shutterfly Remote $127,000 - $187,000 a year Apply now Profile insights Here’s how the job qualifications align with your profile. Certifications OSWE  (Required) OSCP GWEB + show more Do you have a valid OSWE certification? Yes No Skip Skills Scripting  (Required) Maven  (Required) Linux  (Required) + show more Do you have experience in Scripting? Yes No Skip Education Bachelor's degree  (Required)   Job details Here’s how the job details align with your profile. Pay $127,000 - $187,000 a year Job type Full-time   Benefits Pulled from the full job description 401(k) Health insurance   Full job description At Shutterfly, we make life’s experiences unforgettable. We believe there is extraordinary power in the self-expression. That’s why our family of brands helps customers create products and capture moments that reflect who they uniquely are. We are seeking a highly experienced and visionary Principal Application Security Engineer to lead and evolve our application security strategy. In this role, you will be responsible for embedding security into every phase of the software development lifecycle, mentoring engineers, and driving initiatives that protect our applications and data at scale. This is a hands-on leadership role that combines deep technical expertise with strategic thinking and cross-functional collaboration. Responsibilities: Enhance our security posture to protect our infrastructure, systems, and data from cyber threats. Keep up to date with the security landscape by maintaining knowledge of current, relevant security threats, mitigations and best practices. Secure SDLC: Define and implement secure development practices, including code reviews, static/dynamic analysis, and CI/CD pipeline integration (SAST, SCA, DAST, IAST, IaaC, RASP, WAF, APSM, CNAPP, CSPM). Vulnerability Management: Identify, triage, and remediate application vulnerabilities through automated tools and manual testing. Lead the Shift Left initiatives, its toolset and people processes - to secure our code before it is even written. Provide guidance and recommendations to software engineering teams to implement effective security measures to mitigate risks Be the Subject Matter Expert and top technical resource for App Sec to engineers around the organization. Help engineers reproduce vulns, understand their impact, document issues, mitigate or retest the effectiveness of a fix, etc. Create code training exercises for engineers, developers, DevOps and Platforms teams. Train and liaise with Security Champions on development teams Review and approval of critical PRs and code changes Perform and lead code reviews Partner with engineering teams to develop secure code libraries Perform and manage Penetration Testing, lead internal pen tests / red teams and help manage/coordinate 3rd party testing. The Subject Matter Expert (SME) and top technical contact for application security. Develop non-standard mitigations that outside of the industry stand methodologies that reduce risk in clever ways. Security Architecture & Design: Partner with engineering teams to design secure systems and applications, ensuring security is built-in from the ground up. Initiate and lead design, architecture and solution reviews. Threat Modeling & Risk Assessment: Lead threat modeling exercises and perform risk assessments for new and existing applications. Security Tooling: Evaluate, implement, maintain and decommission security tools and platforms to support application security efforts. Be the top operator of all tools and platforms within the App Sec program. Leverage open-source tooling to continuously widen the toolset. Incident Response: Collaborate with incident response teams to investigate and remediate application-related security incidents. Mentorship & Leadership: Mentor junior security engineers and developers on secure coding practices and security principles. Build relationships with stakeholders and business leaders across the organization. Cross-Functional Collaboration: Work closely with product, engineering, DevOps, and compliance teams to align security with business goals. Security Advocacy: Champion a culture of security awareness and continuous improvement across the organization. Required Qualifications: Bachelor’s degree in computer science, Cyber Security, or related field. 7+ years of experience in application security. Excellent communication and collaboration skills, able to work across IT, engineering, and business teams. OSCP and OSWE certifications (or similar) demonstrating proficiency in network and web assessments, secure coding, and professional report creation. SANS Certs: GIAC Web Application Penetration Tester (GWAPT); GIAC Web Application Defender (GWEB); SEC-542; SEC-642; SEC-644 Mastery of app sec tooling, platforms, administration and operation. Proficient coder in at least 3 languages and can code review in just about any language. Must be very proficient in Java, Spring, NextJS (React), Maven, Gradle, Docker, macOS. Strong command-line and scripting skills (bash, PowerShell) both on Linux and Windows. Managed a bug bounty program including policy, scope, triage, risk scoring (CVSS), bounty payments, hacker management, mitigation and re-testing. Frequently participate in cyber security training platforms (Hack The Box, Try Hack Me) Advanced user of Burp Suite Pro, have experience creating custom extensions in Java or Python, or at least using and modifying. Experience deploying and managing a RASP solution (e.g. DynaTrace, Prevoty, Contrast) and WAF (e.g. Akamai, AWS, Imperva, etc.) over multiple tech stacks. Strong analytical and problem-solving abilities with a risk-based security approach.