Sr. Application Security Architect

Job Summary

Wex, Inc. is looking for a Sr. Application Security Architect with broad software development and application security experience. This individual would be responsible for designing, guiding, and assessing security solutions in software projects to ensure that security is built in from the beginning. With the assistance of tools including SAST, DAST and SCA, perform assessments of software projects to identify security issues and guide teams to effective remediations.

About Us

WEX is a global leader in financial technology solutions, based in Portland, Maine, United States, with over 6,000 WEXers distributed in over 40 countries. We simplify the complexities of payment systems across continents and industries like Fleet, Corporate Payments, and Benefits. We look to manage employee benefits, streamline how companies pay and get paid by suppliers, save on fuel costs, or modernize how companies manage their fleet, WEX solutions reduce the administrative burdens.

Who Are We?

We're the Global Product Security Team at WEX, responsible for enabling a modern and effective Secure Software Development Lifecycle throughout WEX.. We partner closely with internal teams and customers to assure WEX operates in a secure and compliant manner. Our team holds itself to a high-standard and we collaborate closely with one another to ensure strong, reliable and effective relationships. We own our results and we take pride of ownership in everything we do.

We need help!

Changing the world isn't easy, and we have a lot of work ahead of us. From securing applications, data centers and cloud resources, we've got more work than we can handle and we're looking for great people to come along for the ride.

Who are you?

Culturally, you're:

• A highly motivated security architect who loves working on small, high performing teams that interface with the entire enterprise

• A collaborative, solid communicator who works well with your team and stakeholders to drive projects from inception to completion

• Someone who cares deeply for team results but is able to work independently to deliver high quality solutions for projects and operational tasks

• Comfortable balancing the need to move fast with the realities of working in a highly regulated organization

• Passionate about security, but pragmatic about delivering business value

• Customer focused - whether it's internal teams that we're supporting or the WEX partner, you prioritize ensuring they have a great experience with WEX and our team

• A skilled worker that has the motivation, expertise, and work ethic to operate independently across global time zones, and who is able to complete tasks and deliverables with minimal oversight

• A strong leader who builds consensus and drives change through buy-in and education rather than mandates

• Work closely with development teams on securing Wex's applications

• Able to mentor other engineers & architects on your team and other teams both technically and professionally

• Champion of a shift-left and DevSecOps approach to security, but tenacious enough to build such a program from the ground up

• A lifelong learner that is excited by new technologies and challenges

Technically, you:

• Are a Subject Matter Expert in software development and software security, particularly with web applications, APIs, mobile apps and enterprise applications delivered in a SaaS model.

• Provide leadership and help shape the WEX application security program and strategy

• Have a deep understanding of web application attacks and mitigations

• Think strategically about and research the latest trends in identity management, software attacks and mitigations

• Mentor and lead threat modeling sessions, focused primarily on teaching others to effectively practice effective and lightweight threat modeling

• Train other team members in risk based analysis of issues uncovered in manual and automated secure code reviews, and commercial static and dynamic application security scanning tools (SAST, DAST, SCA, etc)

• Do web application and mobile app penetration testing

• Deliver actionable security guidance to project teams

• Lead Security Development Lifecycle efforts, coordinating other security architects, security champions and project teams in performing secure architecture reviews, secure code reviews, threat models and penetration testing through the software development lifecycle;

• Keeps abreast of security industry best practices and OWASP recommendations utilizing knowledge to contribute to remediation efforts across the platform, as well as security policies and procedures;

• Actively identify and collaborate with security champions in the development and engineering organization to scale security expertise and awareness.

• Write and oversee the creation of application security standards and guidelines and assist in the implementation of these standards across the organization

• Deep experience working with compliance and regulatory frameworks such as PCI-DSS, HIPAA/HITRUST, SOX, GDPR, NIST, etc.

At a minimum, you

• Have 8+ years of progressive experience in software development and software architecture

• Have 3+ years experience with software security or information security

• Have 3+ years experience with application and container security tools such as SAST, DAST, SCA, IaC scanning and container image scanning, including integrating them to build and ticketing tools.

• Are an expert at identifying, exploiting and mitigating common application security issues, ie OWASP Top10,

• Are an expert at customer identity and related technologies, including OpenID Connect, OAuth 2.0, SAML 2.0

• Are able to troubleshoot security issues within a complex on-prem and multi-cloud environment

• A degree in Business, Computer Science or equivalent combination of education and relevant experience.

• Have experience working closely with many teams across departmental and business unit boundaries and can effect change in such complex environments

• Can commit and deliver on very specific project/delivery timelines with minimal supervision

• Have excellent communication skills, both written and verbal

It would be nice if you have

• Security certifications such as CISSP, CEH, OSCP, GWAPT or similar and cloud certifications

• Have an understanding of modern CI/CD approaches and tooling, preferably with multiple toolsets such as Azure DevOps, GitHub Actions, Jenkins and others

• Hands on experience with IAM tools like Okta, Auth0, Ping or similar

• Experience with designing and securing container technologies - Kubernetes, Docker, EKS, ECS, AKS, service mesh

• Experience with infrastructure as code (Terraform, CloudFormation, ...) and automation

• 3+ years of cloud hosted applications and public cloud experience (IaaS, PaaS, FaaS, SaaS)

• Experience working on agile teams