Summary:

Are you passionate about securing global-scale ecommerce services and applications that power millions of customers across over a hundred countries around the globe? We are looking for a hands-on Principal Product Security Engineer to lead our Secure Development Lifecycle assurance processes, our security automation technologies, drive the security hardening strategy across our product and respond to current and emerging security threats. This role can be fully remote and must reside in US.

In this role, you will help us drive our Product Security strategy working with development teams globally to define new security capabilities, grow the team by hiring the best talent, and partner with senior leaders across the organization to deliver company-wide security initiatives. 

Responsibilities Include::

• Lead cross-functional projects and establish cutting-edge security development lifecycle practices

• Directed security design reviews and threat modeling for new and existing services at iHerb

• Evaluate, prototype, implement, and operate security-focused tools and services

• Create new secure architecture standards, frameworks and patterns spanning multiple layers

• Discover and analyze emerging security threats, determining applicability to iHerb and proactively implement centralized mitigations

• Evaluate, prototype, implement, and operate security tools and services (DAST, SAST, SCA...)

• Maintain a strong knowledge of current security threats and operational best practices

• Drive our security assessment, penetration testing and bug bounty programs

• Participate in security incident response

In order to be successful in this role you must have: 

• Demonstrated technical foundation (Computer Science / Engineering degree or equivalent experience) with an innate ability to translate technical vulnerabilities into organizational risks

• 8+ years of technical security leadership at a top-tier software company including experience with security products, threat modeling, security design, security architecture, cryptography, mobile security, and broader cloud computing technologies

• Solid understanding of common application and infrastructure security vulnerabilities and mitigations (OWASP Top 10, CWE 25…)

• Proficiency implementing SDL process, technology, and automation in a DevOps environment

• Experience with large-scale web applications and microservices, including API design, access management, authorization, authentication, data protection and encryption

• Knowledge of major programming languages and frameworks (e.g. Python, C# .NET, JavaScript, node.js, Java...)

• Excellent problem solving, critical thinking, collaboration and communication skills

Bonus Qualifications:

• Experience with Cloudflare security, AWS VPCs, EC2 instances and docker

• Ability to drive good decisions through data with great attention to detail and deliver KPIs 

• Experience driving application security training, security champions and awareness campaigns

• Active contributor to the security community (research, open source, publications…) with the ability to attract and hire great talent

#LI-JC1

About the Role

We are looking for a hands-on Security Automation Engineer and builder who thrives on creating automated, secure cloud environments and scaling security operations. You will design and maintain infrastructure-as-code, cloud security automations, and modern security tooling — with a strong focus on AWS, Splunk Enterprise Security, Splunk SOAR, and Okta Identity. This role combines deep cloud infrastructure expertise with security orchestration and identity management to strengthen our overall defensive posture.

Key Responsibilities

• Design, develop, and maintain automation frameworks and scripts (Python, Bash, Terraform) to streamline security processes and workflows.

• Deploy and manage secure, scalable infrastructure on AWS using Terraform via Scalr and Harness, with additional presence in GCP and Azure.

• Build, support, and optimize AWS Step Functions, Lambda, and EventBridge workflows from a centralized tooling account that operates across multiple spoke accounts in the AWS Organization.

• Maintain Kubernetes clusters using Helm charts, including in-house security automations on pods that integrate with CSPM tools and Jira ticketing processes.

• Develop and enforce cloud security guardrails using OPA, Guardrails, Service Control Policies (SCPs), IaC security gates, and tag policies.

• Architect, build, and maintain Splunk Enterprise Security (ES) integrations, including onboarding log sources, managing indexes, tuning correlation searches, and configuring automated response actions.

• Design and implement Splunk SOAR playbooks to automate security tasks, reduce Mean Time to Respond (MTTR), and scale SOC capabilities.

• Serve as the subject matter expert for Okta Identity Engine (OIE) — building and managing scalable SSO policies, modern authentication (SAML/OIDC), and identity lifecycle processes.

• Leverage AWS security services (GuardDuty, Macie, IAM, Control Tower, KMS, CloudTrail, EventBridge) to build event-driven automations for threat detection and response.

• Own the in-house Jira management process for CSPM findings and the supporting data pipeline that feeds AWS QuickSight dashboards.

• Collaborate with cross-functional teams (Dev, Platform, Security, and SOC) to integrate security automation into CI/CD pipelines and shift security left.

• Conduct risk assessments, enforce security best practices, and continuously improve our defensive posture through automation and tooling.

• Monitor, troubleshoot, and optimize cloud infrastructure and security systems to ensure high availability, performance, and compliance.

• Stay current with AWS best practices, security trends, and emerging technologies to drive continuous improvement.

Required Skills & Qualifications

• 10+ years of experience.

• Strong hands-on experience with:

  • Terraform, Kubernetes (EKS + Helm), Docker, and scripting in Python & Bash

  • AWS services including Step Functions, Lambda, EventBridge, GuardDuty, Macie, IAM, Organizations, and QuickSight

  • Policy-as-code tools (OPA, Guardrails, SCPs) and IaC security scanning

  • Splunk Enterprise Security (ES) administration, log onboarding, correlation search tuning, and automated responses

  • Splunk SOAR playbook development and automation

  • Okta Identity Engine (OIE), SSO, SAML, and OIDC protocols

• Proven ability to work independently with minimal supervision while collaborating effectively with cross-functional teams and providing technical guidance.

• Experience designing automation solutions that reduce MTTD and MTTR.

• Solid understanding of cloud security principles, compliance frameworks, and secure infrastructure design.

Preferred Qualifications

• Experience with Scalr, Harness, or similar IaC deployment platforms.

• Familiarity with GCP and/or Azure cloud environments.

• Prior experience integrating security tools with Jira and building data pipelines for visualization (QuickSight or similar).

• Security certifications (AWS Security Specialty, CKS, Splunk-related certifications, or Okta certifications) are a plus.

#LI-JC1

Job Summary: 

The Application Security Engineer will help with our Secure Development Lifecycle assurance processes, our security automation technologies, drive the security hardening strategy across our product and respond to current and emerging security threats. This role will contribute tremendously to our Product Security team working with development teams globally to define new security capabilities, and partnering with leaders across the organization to deliver company-wide security initiatives. 

Job Expectations:

• Drive cross-functional projects and establish cutting-edge security development lifecycle practices

• Lead security design reviews and threat modeling for new and existing services at iHerb

• Evaluate, prototype, implement, and operate security-focused tools and services

• Develop new secure architecture standards, frameworks and patterns spanning multiple layers

• Understand and analyze emerging security threats, determining applicability to iHerb and proactively implement centralized mitigations

• Evaluate, prototype, implement, and operate security tools and services (DAST, SAST, SCA...)

• Maintain a strong knowledge of current security threats and operational best practices

• Take part in our security assessment, penetration testing and bug bounty programs

• Participate in security incident response

The duties and responsibilities described above may provide only a partial description of this position. This is not an exhaustive list of all aspects of the job.  Other duties and responsibilities not outlined in this document may be added as necessary or desirable, with or without notice.

Knowledge, Skills and Abilities:

Required:

• Demonstrated technical foundation

• Solid understanding of common application and infrastructure security vulnerabilities and mitigations (OWASP Top 10, CWE 25…)

• Proficiency implementing SDL process, technology, and automation in a DevOps environment

• Experience with large-scale web applications and microservices, including API design, access management, authorization, authentication, data protection and encryption

• Excellent problem solving, critical thinking, collaboration and communication skills

• Experience driving application security training, security champions and awareness campaigns

• Active contributor to the security community (research, open source, publications…) 

Equipment Knowledge:

• Knowledge of major programming languages and frameworks (e.g. Python, C# .NET, JavaScript, node.js, Java...)

Experience Requirements:

Generally requires three (3) plus years of technical security experience at top-tier software companies including experience with security products, threat modeling, security design, security architecture, cryptography, mobile security, and broader cloud computing technologies

Education Requirements: 

Computer Science / Engineering degree or equivalent experience with an ability to translate technical vulnerabilities into organizational risks

Judgment/Reasoning Ability:  Able to identify, troubleshoot and resolve problems quickly using sound judgment, poise and diplomacy.  Ability to use judgment and reasoning skills, and determine when to escalate issues, as required, in a timely manner.

Physical Demands: The physical demands described here are representative of those that must be met by a Team Member to successfully perform the essential functions of this job. While performing the duties of this job, the Team Member is regularly required to talk and hear. The Team Member is frequently required to sit, walk, climb stairs, use hands and fingers, bend, stoop and reach with hands and arms.  Reaching above shoulder heights, below the waist or lifting as required to file documents or store materials throughout the work day. The Team Member may occasionally lift or move office products and supplies up to 25 pounds. Proper lifting techniques required.  Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

Work Environment: The noise in the work environment is usually moderate. Other factors are:

• Hectic, fast-paced with multi-level distractions

• Professional, yet casual work environment

• Office / Warehouse environment

• Ability to work extended hours as required

#LI-JC1 #LI-REMOTE