The New York Times has a unique culture that guides us to do things differently. This allows development teams to focus on delivering software with velocity, but also means that the Information Security team constantly innovates to solve classic problems. Our team of architects, builders and breakers consider customer security and success our north star and aren’t afraid of getting our hands dirty.
The Application Security Team helps secure the applications that run The New York Times business and serve our journalists. Our customers are primarily The New York Times product and technology teams that produce the software, tools and technology to empower the business. We build credibility not just by advising people but by being empathetic to people, paying attention to details, respecting ideas over egos, embracing change, and reducing the red tape by going the extra mile.
As an Application Security Engineer, you will:
Work with the product and technology teams to build in security early
Assess the application threat landscape by threat modeling and architecture reviews
Guide product and technology teams to integrate security into their software development lifecycle
Perform regular security assessments of NYT’s platforms and software
Conduct security code reviews for a variety of languages and frameworks of web and mobile applications
Plan, execute and Implement static code analysis across the organization
Work with the internal development teams to educate the teams on security topics
Prioritize, triage and remediate vulnerabilities and findings from system scans and bug bounty programs
Integrate security tools, standards, and processes into the secure software development lifecycle
Improve and support application security tool deployments including static analysis and runtime testing tools
Participate in application security periodic off-hours escalation rotation
You might have:
4+ years of experience in application security field
Experience with manual penetration testing against web and mobile applications
Experience with static code analysis tools such as Fortify, Checkmarx or other similar tools
Experience with risk assessment and architecture reviews
Experience with network/infrastructure penetration testing
Development and/or source code review experience in Python, Go, Ruby, PHP, Node.js
Familiarity with application layer assessment tools, such as local proxies and fuzzers
Familiarity with threat modeling and security design review methodologies
Ability to work both independently and perform as a leader in a team environment
Ability to work as part of a distributed team and travel to NYT office periodically if working remotely
Excellent communication skills (both written and oral)
Able to concisely communicate security risks to both technical and business audiences
Comfortable working in and across cloud environments like AWS and GCP
The following skills are not required from applicants but would be considered a plus:
Degree in Computer Science, Information Systems, Engineering or related major
Experience working as part of an enterprise development team
Experience developing custom scripts or tools used for vulnerability scanning and identification
A good understanding of cryptography fundamentals
Core mission is to seek truth and help people understand the world
Our values are Independence, Integrity, Curiosity, Respect, Collaboration and Excellence
Commitment to one’s development through education, workshops and active engagement
Exposure to a wide range of new, old and everything in-between technologies and languages
We <3 open source and believe that we grow together by sharing and giving back to the community
This role may require limited on-call hours. An on-call schedule will be determined when you join, taking into account team size and other variables. On-call hours are unpaid, unless informed otherwise by your manager.
The New York Times is committed to a diverse and inclusive workforce, one that reflects the varied global community we serve. Our journalism and the products we build in the service of that journalism greatly benefit from a range of perspectives, which can only come from diversity of all types, across our ranks, at all levels of the organization. Achieving true diversity and inclusion is the right thing to do. It is also the smart thing for our business. So we strongly encourage women, veterans, people with disabilities, people of color and gender nonconforming candidates to apply.
The New York Times Company is an Equal Opportunity Employer and does not discriminate on the basis of an individual's sex, age, race, color, creed, national origin, alienage, religion, marital status, pregnancy, sexual orientation or affectional preference, gender identity and expression, disability, genetic trait or predisposition, carrier status, citizenship, veteran or military status and other personal characteristics protected by law. All applications will receive consideration for employment without regard to legally protected characteristics. The New York Times Company will consider qualified applicants, including those with criminal histories, in a manner consistent with the requirements of applicable state and local "Fair Chance" laws.