Here’s the gist:

Running an independent business comes with a lot of responsibilities, not least of which are all the admin tasks that take up a lot of precious time. By combining tools like billing, contracts and client communication, HoneyBook helps independent business owners streamline their process and get organized so they can get back to doing what they do best.

The independent business economy is on the rise: more new businesses were started in the United States in 2020 than at any other time in the last 15 years and this momentum only continued in 2021. Our company, like the clients we serve, thrives on creativity and innovation — in eight years, we’ve become the leading platform for independent businesses to manage their client flow and cash flow. To date, HoneyBook has raised more than $400M from investors that include Tiger Global Management, Durable Capital Partners LP, Citi Venture, Battery Ventures, Zeev Ventures, 01 Advisors, Norwest Venture Partners and Our Crowd.

But we need your help.

HoneyBook is a product that is transforming the way independent professionals operate their business. Across the United States and Canada our members are turning to HoneyBook’s all-in-one platform to handle their essential business tasks, from first inquiry to final payment, and the code you write will become a fundamental part of our quest to empower independents to rise together doing what they love. The product team at HoneyBook is growing quickly and this is an exciting time to join us. Our roles overlap frequently and we learn a lot from each other. Communication is key.

Your Opportunity
As an AppSec Engineer, you will be responsible for the security of our product. You will define processes for the product and dev teams for writing secure code and detecting new and existing vulnerabilities, you’ll manage our appsec tools.

This person should be a passionate, independent, hands-on, self-reliant, and experienced security minded engineer.

You’ll have the opportunity to be a part of the growth of honeybook and fight the good fight against malicious actors.

Here are a few of the things you'll do…

• Run security assessments, architecture reviews, threat modeling of the application stack, including applications built on cloud and emerging technologies.
• Review applications and source code for potential security issues. Assist with hands-on fixes for security issues.
• Help manage, triage, and provide remediation support for findings from various sources like penetration tests, automated scanners, etc.
• Be in charge of our bug bounty program.
• Manage appsec tools (SAST, DAST, API Security tools)- review, prioritize and remediate.
• Research the latest security standard methodologies, trends, threats and vulnerabilities, and technology frameworks.
• Actively promote a security culture and provide education within the organization while working closely with software architects, developers and DevOps.

Here’s what you’ll need to be successful…

• 3+ years of experience in web application security
• Have a deep understanding and keep up with industry trends of web/mobile application security threats, exploits, and prevention.
• Knowledge of common Web Application security vulnerabilities (OWASP TOP10, SANS 25, etc.)
• Experience in penetration testing, code auditing, and vulnerability scanning.
• Experience in working with containerized environments (Docker, K8S, EKS) and public cloud (e.g. AWS, Azure, Google Cloud)..
• Knowledge of DevSecOps methodologies, tools and technologies (e.g. CI/CD).
• Having a background in web application development.
• Experience in writing scripts and automated tools in at least one of the following languages - Python, Bash, NodeJS, Go, Ruby.
• Experience securing infrastructure in a Experience in networking concepts (firewalls, load balancers, etc) – an advantage.
• Programming background- advantage
• Ability to work in a self-directed environment that is highly collaborative and cross-functional.