Principal Product Security Engineer

The driving force behind our success has always been the people of AspenTech. What drives us, is our aspiration, our desire and ambition to keep pushing the envelope, overcoming any hurdle, challenging the status quo to continually find a better way. You will experience these qualities of passion, pride and aspiration in many ways — from a rich set of career development programs to support of community service projects to social events that foster fun and relationship building across our global community.

The RoleUnder the direction of the VP of Product Security this role is a key member for day-to-day operations of Product Security at Aspen Technology. This role will help protect our clients, enable teams to deliver secure development, and position us for future security needs.
This thought leader will help drive mitigation of risk thru activities such as developing Threat Models, driving Risk Assessments, reviewing alignment of standard controls to mitigate risks in products, oversee vulnerability tracking, ensure security documentation and compliance with security lifecycle activities for product security releases. This could include supporting compliance documents, secure patch release, security incidents, security communications, the security champion program, and product security verification/validation activities. This role will work closely with development teams, senior leaders, and teams across the organization. This role will work with teams across the organization to mitigate risks, protect our customers, protect our assets, and enable secure activities. The Principal Security Engineer will support the development and execution of product security strategic efforts to meet business and technology objectives.
This role will also support the continuously improving product security policies, procedures, tools, guidelines, and security awareness. This role will also maintain a vigilant awareness of industry threats, standards, regulations, and best practices to enhance our security profile.

Your Impact

• Responsible for supporting the design, implementation, and oversight of Product Secure Development Lifecycle. Including aspects such as security requirements, secure architecture/design, risk assessment, threat models, security scanning, triage and vulnerability management, and product security validation/verification.
• Administers product security practices to product teams, technology, and security champions across the organization.
• Drive Product Security efforts to resolve challenges, enable automation, and impact organization security culture.
• Monitors information security best practices, standards, regulations, industry threats and risks for improvements to product security practices.
• Maintains a deep understanding of current issues in the realm of information security. Subscribes to major industry newsgroups and mailing lists and assesses the impact of all emerging issues on systems and practices at Aspen Technology.
• Monitors security bulletins and alerts from all Aspen Technology’s information system vendors. Evaluates vulnerability impact and formulates and executes risk mitigation plans for product security.
• Member of the AspenTech Security Emergency Response Team (ASERT) providing expert analysis of security customer reported security incidents. Works with information resource owners during and after security incidents; work with product teams for analysis; recommends best practices and solutions. Where appropriate, work with product teams, technology teams, client support and customer contacts.
• Occasionally after hours and weekend work to perform tasks that cannot be done during business hours.

What You'll Need

• Bachelor’s degree (B.A./B.S.) or equivalent in computer science or technical equivalent discipline from an accredited college or university required.
• 8+ years of experience in IT required.
• 5+ years of experience in an information security role or experience with security and development teams.
• Knowledge of information security regulatory requirements for privacy, secure by design, and defense in depth.
• Maintains broad understanding of information security including ISO27002, NIST and other information security frameworks and regulations.
• Experience with Application/Product Security, Risk Assessment, Threat Models, Secure Architecture/Design, Security Scanning. (SAST, DAST, SCA, cloud security configuration scanning)
• Experience with cloud solutions such as Azure and AWS - Experience with security policy, procedures, tools, services, and cloud security models.
• Demonstrated ability to plan, design, develop, deploy, and maintain application security best practices.
• Ability to assume high levels of responsibility and to work with a minimum of day-to-day supervision.
• Ability to cooperatively and effectively work with people from all organizational levels and build consensus through negotiation and diplomacy.
• Preferable exposure to the following: IEC 62443-4-1, IEC 62443-4-2, NIST 800-53, ISO 27001, ISO 27002, Cloud Security Alliance (CSA), Cybersecurity and Infrastructure Security Agency (CISA), SANS, OWASP, CWE 25, ethical hacking, and AI Security best practices.
• Desired domain knowledge and/or certification:  CISSP, CISA, CCSP, CSSLP, CEH, SANS GIAC, security certification from AWS or Azure.
• Desired knowledge of the following Technologies: Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA).
• Experience with Application Security Best Practices such as web security, cloud security, pen testing, fuzz testing, security coding guidelines, security architecture/design principles, CVSS, STRIDE, DREAD.
• Experience with Application development technologies, processes, and best practices. For example: Agile, RUP, CICD, DevSecOps.

The salary range for this role is $120,900.00 - $151,100.00. This range represents what we in good faith believe is the range possible for base compensation for this role at the time of this posting. We may ultimately pay more or less than the posted range based on several factors. This range may be modified in the future. This role is also eligible for bonus or variable incentive pay. Additionally, we offer a comprehensive benefits package including paid time off, charitable giveback day, medical/dental/vision insurance, and retirement benefits to eligible employees.