Job Description Overview Are you interested in joining an innovative, growing application security team? Do you want to help define and build an application security program for the Arc XP digital experience platform? Arc XP technology is used by the Washington Post and hundreds of other top brands to support agile, media rich, digital experiences for their customers. Are you interested in helping me improve and mature a rapidly evolving application security program for the Arc XP division of The Washington Post? We are looking for someone who can participate in incident response, threat detection, and internal security assessments, while effectively communicating mitigation techniques to our developers on a modern cloud-native AWS, Lambda, microservices architecture. The scale of the Arc XP platform is impressive with over eight billion unique page views per month, managing several petabytes of data. With great scale comes great responsibility and the security challenges to match. The Arc XP security team believes strongly in the mission of The Washington Post. Truly, Democracy Dies in Darkness. The Post has survived for 143 years and we will do our part to see it provide intelligent, insightful reporting for generations to come. Our team’s mission is to help this organization thrive through the implementation of a world-class application security program. If you want to join in this mission, stretch yourself, learn a lot, and have a great time along the way, let’s talk. Responsibilities Integrate security tools, standards, policies, controls and processes into the Software Development Lifecycle (SDLC) Interpret security scans and manage scanning tools to discover security issues, and provide remediation guidance Participate in threat modeling, architecture review, code review, and penetration testing Participate in threat hunting, breach detection, and incident response Support security incident response and provide expertise in remediation Participate in ISO 27001 related activities, including evidence collection and continuous improvement of organizational security best practices Review documentation, code, and processes with an eye towards continuous improvement and risk mitigation Qualifications Minimum Qualifications BA/BS in Computer Science or related technical field or equivalent practical experience 5 years security experience, working with teams building highly scalable, customer facing applications Familiarity with industry standards and regulations such as PCI, GDPR, and ISO27001 Knowledge of application security vulnerabilities in terms of cause, effect, and remediation techniques Knowledge of at least two programming languages, including at least one dynamic language such as JavaScript or Python Experience with common automated security analysis tools such as SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and SCA (Software Composition Analysis) Familiar with security engineering best practices and how they fit into agile development processes Preferred Qualifications Experience supporting tools and processes for secure web applications on AWS Experience with automated deployment tools such as CloudFormation Experience analyzing application and cloud environment security standards. Exceptional written and oral communication skills #LI-remote The Post strives to provide its readers with high-quality, trustworthy news and information while constantly innovating. That mission is best served by a diverse, multi-generational workforce with varied life experiences and perspectives. All cultures and backgrounds are welcomed.