Staff Application Security Engineer

As a Staff Application Security Engineer, you will own our application (product) security program, ensuring that security is embedded in the development lifecycle, from design through deployment. This is a highly visible role which will partner with various teams to support their initiatives and help them deliver on TRR's promise of Trust & Safety to our customers. You'll be part of a strong and agile security team, and will be regarded as the application security knowledge leader. This is an ideal role for someone who has been in application security for a number of years who is interested in moving into Management. If you thrive in a fast-paced, fun, rapidly growing, and collaborative work environment, you'll love working here!

What You Get To Do Every Day

• Build AppSec program from start-to-finish, to include core application security practices, with a high degree of innovation and freedom
• Partner with developers and engineers to improve knowledge and awareness of secure coding practices
• Perform architectural reviews to perform a threat analysis, identify security risks, and provide recommendations
• Incorporate secure code tools, technologies and processes in build pipelines
• Manage Enterprise Secrets Management, WAF, and security requirements for Microservices,
• Rest API, OAUTH, SAML, Container Security, SaaS solutions, CI / CD build eco systems
• Define and implement processes, include SLAs, requirements, repository for approved code - with timeline, decision, and outcome
• Deliver Threat Models and advise on potential attack scenarios
• Conduct or outsource application penetration testing
• Communicate security risks and recommendations effectively with technical and non-technical audiences through verbal and written communications that lead to actionable and measurable improvements
• Act as Ambassador and Subject Matter Expert with internal teams

What You Bring To The Role

• 8+ years of relevant industry experience
• Strong knowledge and comfort with secure design practices and Threat Modeling
• Ability to translate and speak with technical and non-technical audiences
• Understands Infrastructure as code and associated concepts - 12-factor app, EnvVars,
• Configuration, and others
• Development experience in one or more of these technologies: Ruby, Bash, Elixir, and Python
• Strong knowledge of securing AWS and GCP
• Experience with Encryption Secrets Management 
• Ability to triage and troubleshoot WAF and/or CDN issues from a security and application
• perspective
• Experience with various development, debugging and application security tools
• Comfortable partnering distributed teams and cross-functional stakeholders
• Innovative, proactive, well-spoken, team-player, and enthusiastic
• Heavy interest in pursuing a Management role in Security

The RealReal is the world's largest online marketplace for authenticated, consigned luxury goods. With a rigorous authentication process overseen by experts, The RealReal provides a safe and reliable platform for consumers to buy and sell their luxury items. We have 150+ in-house gemologists, horologists and brand authenticators who inspect thousands of items each day. As a sustainable company, we give new life to pieces by hundreds of brands, from Gucci to Cartier, supporting the circular economy. We make consigning effortless with free in-home pickup, drop-off service and direct shipping for individual consignors and estates. At our stores in LA, NYC and San Francisco, customers can shop, consign, and meet with our experts. At our 10 Luxury Consignment Offices, four of which are in our retail stores, our expert staff provides free valuations. Founded in 2011 and listed publicly in 2019 (Nasdaq: REAL), we're growing fast and fundamentally changing the way people buy and sell luxury - a multi-billion dollar industry. Build your career with us and enjoy 401K matching, health, dental and vision insurance, commuter flex spending, healthcare flex spending, generous PTO, a mother's room, and flexible work hours!

The RealReal is committed to providing an equal employment opportunity regardless of race, color, ancestry, religion, sex, national origin, sexual orientation, age, citizenship, marital status, disability, gender identity or expression, or Veteran status. We will consider qualified applicants for a position regardless of arrest or conviction records, consistent with legal requirements.