Sr Product Security Engineer

Join ServiceNow's Product Security team as a Senior Product Security Engineer, focusing on the Secure Software Development Lifecycle (SSDL). This role is crucial for holistically improving our security program's maturity. You will lead product threat modeling, enhance security behaviors, and manage a highly visible security champions program, engaging in both technical and strategic initiatives.

Responsibilities

As a Senior Product Security Engineer, you will collaborate with developers and software architects on highly technical solutions to build secure and resilient software. Your responsibilities include:

• Conducting threat modeling for software products and services to identify potential risks.
• Participating in architectural reviews of products under development.
• Ensuring the success of a large and growing security champions program by mentoring champions and assisting them in secure software design.
• Working on a wide range of technologies and complex architectural/technical challenges.
• Mentoring and collaborating with development teams to adopt secure coding practices.
• Driving strategic and highly visible security activities across the organization.
• Acting as an advocate for security and participating in the security champions program.

Qualifications

• Experience leveraging or critically thinking about integrating AI into work processes, decision-making, or problem-solving.
• 4+ years of experience in software security (AppSec).
• 1+ years of experience in threat modeling software applications and services.
• Proficiency in threat modeling methodologies such as STRIDE or PASTA, applied within fast-moving, iterative development lifecycles.
• In-depth knowledge of common web application vulnerabilities (OWASP Top 10).
• Developer-level proficiency in Python, Java, JavaScript, or Golang.
• Knowledge of authentication and authorization standards including OAuth, OIDC, SAML, JWT, and PASETO.
• Knowledge of cryptography, including symmetric and asymmetric cryptography, digital signatures, PKI, TLS, and cryptographic hash functions.
• Knowledge of cloud-native technologies like containers, Kubernetes, and services from AWS, GCP, and Azure.
• Familiarity with SAST, DAST, and SCA security tools.
• Knowledge of OWASP ASVS, SCVS, and related verification standards.
• Ability to collaborate effectively in a highly distributed team.
• Strong communication skills to convey technical concepts to business stakeholders.
• A passion for security.

We encourage you to apply even if you don't meet every single qualification. We value diversity and believe unique experiences enrich our team.