SaaS Security Engineer

Apple is seeking a Software-as-a-Service (SaaS) Security Engineer within the Apple Information Security (AIS) organization. We are looking for an experienced security professional who is passionate and knowledgable about SaaS, Cloud, and Web Application Security. This position will be responsible for ensuring the security maturity of Apple's most critical SaaS assets and developing new methods to scale the program while reducing Apple's attack surface.

Description

* This position requires a broad mix of technical expertise coupled with polished communication and emotional intelligence to influence our SaaS Supplier's and Business Partners. * The successful candidate will have a passion for technical excellence and team collaboration with a heavy focus on offensive security . This role will work closely with business parters, peer security teams, and Suppliers to ensure the secure design, deployment, and configuration of new and existing SaaS. * Perform security architecture reviews and threat models of the full stack of SaaS, including applications built on cloud and emerging technologies with an understanding and impact of the shared responsibility model. * Conduct targeted penetration and application testing of SaaS to provide true validation of the security posture of Apple use-cases. This role requires creative thinking and a tailored approach across a diverse population of Cloud-based products and services. * Work cross-functionally with business teams and defense to execute Purple Team engagements to enhance threat and anomaly detections. * Proactively identify vulnerabilities and misconfigurations across Apple's SaaS population. * Provide clear and detailed risk reduction and remediation guidance to 3rd Party SaaS Suppliers and Apple business teams. * Research new and emerging threats to ensure Apple's assessment methodology is keeping pace with security trends. * Deliver program enhancements to approach, methodology, and focus areas. * Thrives in a fast pace environment with the ability to effectively shift priorities due to evolving business needs and emerging security trends.

• 5+ years of work experience with manually testing SaaS and Web Applications.
• Experience with evaluating and testing the security of Public Cloud environments (ie; AWS, GCP, Azure).
• In-depth knowledge identifying and protecting against web application and API security vulnerabilities.
• Experience executing Threat Modeling and Design Reviews.
• Strong understanding of Application Security, Cloud Security, Network Security, Identity and Access Management, and Cryptography.
• Experience with Python, Go, and/or bash scripting.
• In-depth knowledge of the security assessment processes and lifecycle with the ability to identify potential improvement areas and gaps in existing processes.
• Excellent written and oral communication skills, including experience
• Understanding of key infrastructure including micro-services architectures, Git, code repositories, Infrastructure-as-a-code, Kubernetes, CI/CD frameworks

• Experience with testing or understanding the threats of AI enabled services.
• Experience with the security implications and testing Electron-based applications.
• Experience with SQL, Databricks, and Spark programming.
• Contributions to the security community such a research, published CVEs, bug-bounty recognitions, open-source projects, blogs or publications.
• Experience using Dynamic Application Security Testing (DAST) capabilities.
• Industry Certifications such as GWAPT, GPEN, GCPN, OSWE.
• Experience in Supply Chain Risk Management
• Bachelors Degree or equivalent work experience