Are you passionate about securing global-scale ecommerce services and applications that
power millions of customers across over a hundred countries around the globe? We are looking for a hands-on Principal Application Security Engineer to lead our Secure Development Lifecycle assurance processes, our security automation technologies, drive the security hardening strategy across our product and respond to current and emerging security threats. This role can be fully remote and must reside in US.
In this role, you will function as the ultimate subject matter expert, responsible for establishing enterprise-wide security architecture, driving deep-level technical mitigations, and ensuring compliance excellence in a complex, fast-paced environment. This role requires unparalleled technical depth and strategic foresight
Responsibilities Include:
- Lead cross-functional, enterprise-wide projects and define the strategic direction for cutting-edge security development lifecycle (SDL) practices
- Conduct security design reviews and sophisticated threat modeling for new and existing mission-critical services across the entire platform
- Establish secure architecture standards, frameworks, and resilient security patterns spanning application, cloud-native, and infrastructure layers
- Evaluate, prototype, implement, operate, and provide governance over core security tools and services (DAST, SAST, SCA, WAF, Secrets Management, etc.)
- Discover and analyze emerging security threats, determining applicability to iHerb, and
proactively implement centralized mitigations - Maintain a strong knowledge of current security threats and operational best practices
- Drive our security assessment, penetration testing, and bug bounty programs translating findings into comprehensive, systemic risk reduction strategies.
- Ensure all application security practices adhere to the Payment Card Industry Data Security Standard (PCI DSS) requirements
- Participate in security incident response activities as a technical leader
In order to be successful in this role you must have:
- Demonstrated technical foundation (Computer Science / Engineering degree or
equivalent experience) with an innate ability to translate technical vulnerabilities into
organizational risks - 8+ years of technical security experience at a top-tier software company, including
hands-on experience with threat modeling, security design, security architecture,
cryptography, mobile security, cloud computing technologies, and security products - Expert understanding of common application and infrastructure security vulnerabilities and mitigations (OWASP Top 10, CWE 25…)
- Deep, demonstrable knowledge of the e-commerce transaction lifecycle and expert command of PCI DSS compliance standards within a high-transaction environment.
- Proven track record of driving the implementation of SDL processes, technology, and automation in sophisticated DevOps/DevSecOps environments.
- Experience with large-scale web applications and microservices, including API design,
access management, authorization, authentication, data protection and encryption - Knowledge of major programming languages and frameworks (e.g. Python, C# .NET,
JavaScript, node.js, Java...) - Exceptional problem solving, critical thinking, collaboration and communication skills with the ability to influence technical and executive leadership
Bonus Qualifications:
- Experience in an e-commerce or high-transaction environment, specifically with knowledge of PCI DSS compliance requirements
- Experience with Cloudflare security, AWS VPCs, EC2 instances and Docker/containers
- Experience driving application security training, security champions and awareness
campaigns - Active contributor to the security community (research, open source, publications…) with the ability to attract and hire great talent
- Relevant security certifications (e.g., OSCP, CISSP, CSSLP)
#LI-JC1
Employees (and their families) that meet eligibility criteria as outlined in applicable plan documents are eligible to participate in our medical, dental, vision, and basic life insurance programs and may enroll in our company’s 401(k) plan. Employees will also be eligible for Time Off and Paid Sick Leave pursuant to the company’s policies. Employees will enjoy paid holidays throughout the calendar year. Eligibility requirements for these benefits will be controlled by applicable plan documents.
Staffing Agency Submission Notice
iHerb does not accept unsolicited 3rd party ("Agency") candidates. If you are an Agency, please send any requests to be considered as a supplier in our Vendor Management System to [email protected]. Do not contact iHerb employees directly. If requested to work on a role, any Agency candidates would be presented through the internal recruiting organization.
About iHerb
iHerb is on a mission to make health and wellness accessible to all. We offer Earth’s best-curated selection of health and wellness products, at the best possible value, delivered with the most convenient experience.
We’re the world’s largest eCommerce platform dedicated to vitamins, minerals, and supplements, and other health and wellness products. For more than 25 years, we’ve been making it simple for people all over the world to purchase the highest quality products. From supplements to skincare to grocery items, we ship over 50,000 products, from over 1,800 brands direct to our customers in 180+ countries.
Our vision is to become the #1 destination for health and wellness across the world.
With a passion for wellness and a mind for innovative solutions, iHerb team members share a vision for a healthier world that drives them each day. Our 5 Shared Values unite our global team:
Focus on the Customer · Empower Our People · Be Entrepreneurial & Pivot Quickly ·
Embrace Diversity & Inclusion · Strive for Simplicity
iHerb Benefits
At iHerb, we are dedicated to offering programs designed to help our employees and their families stay healthy, live well, and plan for their financial future. Built on a strong foundation, our programs provide options and upgrades with flexibility, protection, and security in mind. For the comprehensive benefits list, visit www.iHerbBenefits.com. For our international team members, you may be eligible for benefits depending on the country where you are employed. The Talent Acquisition Partner/local HR representative will go over the benefits you are eligible for.
iHerb is an Equal Opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability or veteran status. iHerb provides equal employment opportunities to all applicants for employment and prohibits discrimination and harassment.
Top Skills
iHerb Elgin, Illinois, USA Office
2650 Auto Mall Dr., Elgin, IL, United States, 60124
Similar Jobs
What you need to know about the Chicago Tech Scene
Key Facts About Chicago Tech
- Number of Tech Workers: 245,800; 5.2% of overall workforce (2024 CompTIA survey)
- Major Tech Employers: McDonald’s, John Deere, Boeing, Morningstar
- Key Industries: Artificial intelligence, biotechnology, fintech, software, logistics technology
- Funding Landscape: $2.5 billion in venture capital funding in 2024 (Pitchbook)
- Notable Investors: Pritzker Group Venture Capital, Arch Venture Partners, MATH Venture Partners, Jump Capital, Hyde Park Venture Partners
- Research Centers and Universities: Northwestern University, University of Chicago, University of Illinois Urbana-Champaign, Illinois Institute of Technology, Argonne National Laboratory, Fermi National Accelerator Laboratory
