DevSecOps Engineer

Overview:

The Information Security team at Weedmaps works collaboratively throughout the entire organization to align Information Security to the business and our products. Weedmaps is looking for a DevSecOps Engineer to join our expanding team. As a DevSecOps Engineer, you would ensure the Security of Weedmaps's products and services.

The impact you'll make:

• Perform security assessments and design reviews of Weedmaps’s web applications, mobile clients, internal services and APIs
• Maintaining and creating secure development best practices and programs for our engineering teams
• Identify risks in code, applications, software architecture, and internal development processes
• Evaluate, analyze, and reproduce security vulnerabilities reported by internal tools, internal engineers, security researchers, partners, and customers. Partner with development teams to ensure they address these vulnerabilities in our products and services
• Provide guidance on relevant application security industry standards and practices such as OWASP, SANS, CWE, CWSS, CVE, CVSS, etc.
• Partner with multiple engineering stakeholders to evangelize security, assist in developing security controls into engineering pipelines, and remediate security issues from internal, and third- party assessments
• Build new tools into our Security program, which includes automation of processes to make security testing more effective and efficient.
• Take part in helping develop the maturity of Weedmaps's security organization
• Assist the Information Security team in gaining industry-recognized certifications such as ISO 27001, SOC, PCI DSS

What you've accomplished:

• You have 4+ years of experience working on a security team performing technical security assessments on modern web applications, APIs, and mobile applications within cloud hosted environments such as AWS, GCP, Azure
• Strong familiarity with containers and container orchestration/scheduling (eg. Docker, ECS, Rancher, Kubernetes)
• B.S. in Computer Science, a related field, or equivalent experience
• Experience shifting security left through CICD automation 
• Automation skills using Infrastructure as Code tools like Ansible, Terraform, Chef, Packer, Helm, etc.
• Experience with CICD pipelines like CodeFresh, CircleCI, Jenkins, etc.
• Familiarity with Hashicorp Vault, AWS Secrets Manager or other secrets management infrastructure
• Familiarity with Amazon AWS Policy, Configuration, and Security Management tools.
• Familiarity with API Security, Container Security, AWS Cloud Security
• Knowledge of PCI-DSS, HIPPA, SOX, GDPR, and CCPA Standards and Policies and the associated certification and audit processes
• Experience working with Developers, DevOps, SRE and Engineering teams in a dynamic environment to promote/implement the DevSecOps program throughout the organization.
• Experience coordinating and performing vulnerability assessments through the use of automated and manual tools (Tenable, NMAP, DataDog Security, AWS Security Hub / GuardDuty, etc).
• Ability to review and analyze vulnerability data to identify security risks to the organization's network, infrastructure, and application's and determine any reported vulnerabilities that are false positives.
• Capability to prepare security vulnerability and risk management reports for management.
• Proficiency in Python, Go, Ruby or other programming languages.
• Comprehension in the security areas of Key Management Systems, Certificate Management, Encryption, Penetration Testing, Vulnerability Scanning, Security and Monitoring tools, etc.
• Experience configuring, implementing and leveraging computer security and networking diagnostic/monitoring tools.
• Knowledge of patch management and related information security functions (authentication, encryption, iptables, SSL, Ciphers, etc)
• Ability to work with APIs and Plugins to integrate security tools into established CI/CD pipelines.
• Experience with manual secure code review in languages such as Javascript (Node, React), Go, Ruby, Elixir
• Experience integrating security into CI/CD pipelines
• Familiarity with common web application testing tools for DAST, SAST, and IAST analysis such as Burp Suite, Checkmarx, Veracode, AppSpider, or Contrast
• Understanding of Agile software development methods and familiarity with enterprise. productivity tools such as JIRA, and Confluence
• Experience instituting organizational change with respect to security
• Effective communicator to multiple audiences both verbally as well as orally

Bonus points: 

• Experience working in E-commerce or three-sided marketplace
• Experience and familiarity with NIST, PCI, et. al. frameworks
• Experience with bug bounty programs
• Experience with CDNs such as Fastly, Cloudflare, CloudFront, Akamai
• Familiarity with Weedmaps products and services is a plus

Our Benefits:

• 100% paid employee monthly Medical, Dental and Vision premiums AND 80% paid dependent monthly premiums
• HMO (California residents only) and PPO option offered through United Healthcare
• Company-paid $50,000 in Basic Life/AD&D (Accidental Death and Dismemberment) coverage
• 401(k) Retirement Plan: 100% match on the first 1%. 50% match from 2-6% of employee contributions
• 3 weeks PTO (accrued) and 5 sick days (immediate)
• Supplemental, voluntary benefits
• Kindbody (family planning/fertility) including up to $10,000 towards cash-pay services
• Goodly (Student Loan Repayment/529 Education Savings) including a company contribution of up to $1,000/year 
• Flexible Spending Accounts (Medical, Dependent, Transit and Parking)
• Voluntary Life Insurance
• Critical Illness
• Accident Insurance
• Short- and long-term disability
• Pet Insurance
• Paid parental leave
• During current work-from-home:
•  Reimbursements for home office setup and monthly WiFi

Our Culture:

• 11 company-paid holidays
• Catered lunch and snacks provided when working in the office
• Snack boxes sent straight to your door when you work-from-home
• Casual work environment, read no fancy clothes required, but you are free to dress to the nines!
• Monthly virtual happy hours
• Quarterly all-hands meetings

Weedmaps is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, gender expression, national origin, protected veteran status, or any other basis protected by applicable law, and will not be discriminated against on the basis of disability. We are looking for the smartest and most passionate people who want to join our team and develop the services, systems, and marketplaces that will serve the marijuana industry in the decades to come. Our company uses E-Verify to confirm the employment eligibility of all newly hired employees. To learn more about E-Verify, including your rights and responsibilities, please visit www.dhs.gov/E-Verify.

Applicants may be entitled to reasonable accommodations under the terms of the ADA and state/local laws.  Please inform us if you need assistance participating in the interview process.

About Weedmaps:

Founded in 2008, WM Technology is a leading technology and software infrastructure provider to the cannabis industry, comprising a B2C platform, Weedmaps, and B2B software, WM Business. The cloud-based SaaS solutions from WM Business provide an end-to-end operating system for cannabis retailers. WM Business’ tools support compliance with the complex, disparate, and constantly evolving regulations applicable to the cannabis industry. Through its website and mobile apps, WM Technology provides consumers with the latest information about cannabis retailers, brands, and products, facilitating product discovery and driving engagement with our retail and brand customers.

WM Technology holds a strong belief in the power of cannabis and the importance of enabling safe, legal access to consumers worldwide. Since inception, WM Technology has worked tirelessly, not only to become the most comprehensive platform for consumers, but to build the software solutions that power businesses compliantly in the space, to advocate for legalization, social equity, and licensing in many jurisdictions, and to facilitate further learning through partnering with subject matter experts on providing detailed, accurate information about the plant.

Headquartered in Irvine, California, WM Technology supports remote work for all eligible employees. Visit us at www.weedmaps.com.

#LI-REMOTE #WMFromAnywhere