Job description
Job Overview: As a Product Security Architect at Avalara, you will be responsible for designing and implementing security frameworks and architectures that protect our SaaS product ecosystem. You will work closely with product development teams and DevOps teams to ensure security is built into our software from the ground up. This role focuses on safeguarding the entire product lifecycle, from design through deployment, ensuring that our customers’ data and our platform are secure from modern threats. Key Responsibilities: Architect secure product environments that address security concerns across our SaaS offerings, ensuring the security of all product layers, including application, data, and infrastructure. Develop security standards, guidelines, and best practices for product development teams, ensuring security is integrated into the software development lifecycle (SDLC). Conduct threat modeling and risk assessments for new features and services to proactively identify and address potential security vulnerabilities. Collaborate with product managers, developers, and DevOps teams to define security requirements and ensure they are incorporated throughout the design and development process. Perform secure code reviews and work with development teams to establish secure coding practices, including automation of security testing in CI/CD pipelines. Oversee data security and privacy mechanisms, such as encryption, data masking, and anonymization, to ensure compliance with regulatory requirements like GDPR, HIPAA, and others. Lead vulnerability management efforts for products, including monitoring, identifying, and remediating security flaws across applications and services. Establish security monitoring and incident response processes for our SaaS platform, working with DevOps teams to monitor security events and respond to product security incidents. Stay up-to-date with the latest security threats and technologies that impact SaaS platforms, ensuring proactive measures are in place to address new risks. Lead security-related training and awareness initiatives within the product and engineering teams, helping build a security-first mindset across the organization. Qualifications: Education: Bachelor’s degree in Cybersecurity, Computer Science, Software Engineering, or related field. Master’s degree or security certifications (e.g., CSSLP, CISSP, CCSP) are highly desirable. Experience: 15+ years of experience in software engineering, with a focus on product security for SaaS platforms. Proven experience in secure software development and building security into product architectures from design to deployment. Hands-on experience with cloud environments (AWS, Azure, GCP) and securing cloud-native applications (e.g., microservices, containerized workloads, serverless). Technical Skills: Strong understanding of secure coding practices, code review processes, and software vulnerability management. Expertise in security protocols and technologies such as OAuth, OpenID, JWT, encryption (TLS, AES), and API security. Experience with security tools for static code analysis (SAST), dynamic application security testing (DAST), and penetration testing tools. Knowledge of container security (e.g., Kubernetes, Docker) and cloud security best practices (IAM, network security, logging, monitoring). Familiarity with DevSecOps principles and the integration of security automation into CI/CD pipelines (e.g., Jenkins, GitLab, etc.). Soft Skills: Strong collaboration and communication skills, with the ability to work cross-functionally with development, product management, and DevOps teams. Analytical mindset with the ability to assess risks and propose practical, scalable security solutions. Excellent problem-solving skills and attention to detail. Preferred Certifications: Certified Secure Software Lifecycle Professional (CSSLP) Certified Information Systems Security Professional (CISSP) Certified Cloud Security Professional (CCSP) GIAC Cloud Security Automation (GCSA)