• Location
    • New York
  • Date Posted
  • Jul. 5, 2021
  • Function
  • IT
  • Sector
  • Retail

We are looking to bring on an application security engineer to contribute their security expertise to our growing application security team. This team member will work with developers and the broader engineering organization to identify, understand, and discuss security risk.  They will assist in vulnerability review, prioritization, and remediation as well as automation of our existing processes. This member will also have the opportunity to participate in the design process as a security stakeholder in design reviews. As Glossier grows its ecommerce and retail business, the importance of secure development and infrastructure becomes even greater!

Six Month Expectations

  • Conduct security reviews for new systems and architectural patterns being introduced at Glossier
  • Provide security control guidelines for cloud (AWS) services to protect critical assets and data
  • Build threat models, and train the tech team on how to use them when developing new features
  • Develop application security and product best practices to standardize security practices
  • Collaborate with cross-functional partners to establish strong vulnerability management process including bug bounty program
  • Provide vulnerability remediation guidance and mentoring to developers
  • Build metrics to track security defects and automate the collection of security information to derive metrics
  • Review, analyze, and evaluate both internally developed software and vendor products and procedures to address security requirements
  • Evaluation of new technologies, tools, and/or development techniques that impact security
  • Work with developers to understand risk, prioritize accordingly, and assist in remediation

Twelve+ Month Expectations

  • Create policies and tools to ensure new services can easily follow recommended security practices, such as least-privileged access, audit trails for sensitive actions, and centralized logs for investigating incidents
  • Work with DevOps engineers to integrate static and dynamic analysis security tools into CI/CD pipelines
  • Build cloud governance tooling to automatically monitor and enforce our AWS security policies
  • Implement a set of automated scanning and reporting tools to ensure software dependencies are kept up to date, and source code is statically analyzed for vulnerabilities
  • Enable automation of product security testing and find innovative ways to scale the security team
  • Facilitate red team and security incident response drills


  • Has 3+ years of software engineering experience, including 2+ years of software security engineering experience
  • Has written code to fix web app vulnerabilities, patched dependencies, and configured production cloud infrastructure
  • Preferred: Bachelor’s degree in Computer Science, similar technical field of study, or equivalent practical experience
  • Must be able to explain vulnerabilities referencing to OWASP Top 10, WASC, and/or CWE 25 to any audience, and discuss effective defensive techniques
  • Is comfortable programming with Ruby or Javascript
  • Has implemented frameworks and tooling to continuously monitor for security vulnerabilities
  • Is an effective communicator to help other stakeholders understand security concerns
  • Can appropriately align security goals with business value and make effective tradeoffs
  • Can incrementally deliver value
  • Security Certifications to show baseline understanding (Security+, CEH, OSCP)

About Glossier

Glossier is a beauty company that lives in NYC, is sold on the internet, and promotes a skincare first philosophy that celebrates beauty in real life.

We are an Equal Employment Opportunity (“EEO”) Employer. It has been and will continue to be a fundamental policy of Glossier not to discriminate on the basis of race, color, creed, religion, gender, gender identity, pregnancy, marital status, partnership status, domestic violence victim status, sexual orientation, age, national origin, alienage or citizenship status, veteran or military status, disability, medical condition, genetic information, caregiver status, unemployment status or any other characteristic prohibited by federal, state and/or local laws. This policy applies to all aspects of employment, including hiring, promotion, demotion, compensation, training, working conditions, transfer, job assignment, benefits, layoff, and termination.