Senior Application Security Manager

At Shutterfly, we make life’s experiences unforgettable. We believe there is extraordinary power in self-expression. That’s why our family of brands helps customers create products and capture moments that reflect who they uniquely are.

This is an exciting time for Shutterfly. In this position, you will be leading the application security team to shape the application security program. Your focus will be on helping to build and maintain an Application Security program that can be used as the benchmark for our industry.

We are looking for an innovative Senior Application Security Manager who loves to lead, red team, train, resolve vulnerabilities, and much more. While also being a Subject Matter Expert in application security, you will work with application security engineers to evangelize shift-left security, engaging early and often with the engineering teams. You will bring your strong leadership skills, technical background in application security, and deep experience in building application security programs to help take Shutterfly’s application security program to the next level.

• Lead a team of highly skilled application security engineers through planning, prioritization, and execution of work.
• Manage the application security program. Design and execute automation services to enhance enterprise application security test tooling in SDLC and DevOps pipelines.
• Develop close relationships with the engineering leadership across the company to help teams prioritize security challenges, track and resolve identified risks.
• Establish and maintain Security Champion program.
• Establish, maintain and roll out security training program for developers.
• Build and grow an execution team to analyze and resolve application security issues.
• Create and evolve sustainable processes and tools for operations through automation, self-service, and reducing complexity.
• Oversee application security engineers performing penetration tests of services.
• Define, monitor, and report application security metrics to accurately represent department statistics and team performance.
• Manage the relationship with third-party vendors providing services to support application security program.
• Work with engineering on vulnerability management program, maintaining backlog and driving remediation efforts.
• Mentor and guide AppSec engineers, fostering professional growth and development through one-on-ones, coaching, and real-time feedback.

• BS/MS in Computer Science or equivalent experience.
• 6-8 years working as an Application Security Engineer and 1-3 years specifically leading application security team.
• Experience recruiting and managing technical teams, including performance evaluation and management.
• Experience with different styles of source control and CI/CD pipeline.
• Experience building relationships with stakeholders and business leaders.
• Proven risk assessment and mitigation skills.
• Proven communication skills, the ability to present information clearly and concisely to all levels of management both formally and informally.

• Familiarity with OWASP top 10 vulnerabilities, mitigations, and their impact on application architecture.
• Experience with application security testing including SAST, DAST, and SCA.
• Experience with Web Application protection tools including RASP, WAF, and DDoS mitigation.
• Experience with Code Review process.
• Familiarity with programming languages such as Java, NodeJS, Python.
• Experience managing and maintaining an enterprise bug bounty program.
• Familiarity with cryptography including commonly implemented algorithms, standards, and best practices.
• The candidate should have familiarity with a variety of development and testing tools, including IDE, GIT, JIRA, Maven.

• Familiarity in both using and securing Linux based systems and containers.
• Familiarity in both ECS and Kubernetes cluster deployment.
• Familiarity in Micro Services architecture and security control in such environment.
• Familiarity in deploying and maintaining controls within various public cloud environments (AWS/Azure/GCP).
• Relevant security certifications (SANS/GIAC, CISSP, CSSLP, OCSP, etc.) are highly desirable.

Supporting a diverse and inclusive workforce is important to Shutterfly not only because it directly reflects our value of Embracing our Differences, but also because it’s the right thing to do for our business and for our people. We welcome all applicants and evaluate them based on their qualifications, without regard to age, race, creed, color, national origin, ancestry, marital status, affectional or sexual orientation, gender identity or expression, disability, nationality, sex, or other characteristic covered by law. Learn more about our commitment to Diversity, Equity, and Inclusion on our Career Site.

This position will accept applications on an ongoing basis until filled.

The compensation package for this role is based on multiple factors, such as job level, responsibilities, location, and candidate experience. The base pay ranges included below are specific to the locations listed, and may not be applicable to other locations.

California: [$166,000-236,000]

Connecticut and New York: [$166,000-216,000]

Colorado, Illinois, Minnesota, and Washington: [$166,000-200,000]

Nevada: [$156,000-216,000]

Maryland and New Jersey: [$179,250-216,000]

Hawaii: [$156,000-188,000]

This position may be eligible for a bonus incentive, health benefits, a 401K program, and other employee perks. More details about our company benefits can be found at https://shutterflyinc.com/benefits/.

This opportunity can be remote, but candidates must reside in a state in which Shutterfly is registered to do business. This includes all US states except District of Columbia, North Dakota, Mississippi, Rhode Island, Vermont, and Wyoming.

This position will accept applications on an ongoing basis until filled.

#SFLYTechnology