Principal Application Security Engineer jobs in United States
cer-icon
Apply on Employer Site
company-logo

iHerb · 11 hours ago

Principal Application Security Engineer

positionUnited States
timeFull-time
remoteRemote
seniorityLead/Staff
money$177K/yr - $265K/yr
date8+ years exp

iHerb is the world's largest eCommerce platform dedicated to health and wellness products. They are seeking a Principal Application Security Engineer to lead their Secure Development Lifecycle assurance processes and drive security hardening strategies across their products.

BeautyDelivery ServiceE-CommerceFood and BeverageHealth CareRetailSoftwareWellness
check
Comp. & Benefits
check
H1B Sponsor Likelynote
Hiring Manager
Joel Cazares
linkedin

Responsibilities

Lead cross-functional, enterprise-wide projects and define the strategic direction for cutting-edge security development lifecycle (SDL) practices
Conduct security design reviews and sophisticated threat modeling for new and existing mission-critical services across the entire platform
Establish secure architecture standards, frameworks, and resilient security patterns spanning application, cloud-native, and infrastructure layers
Evaluate, prototype, implement, operate, and provide governance over core security tools and services (DAST, SAST, SCA, WAF, Secrets Management, etc.)
Discover and analyze emerging security threats, determining applicability to iHerb, and proactively implement centralized mitigations
Maintain a strong knowledge of current security threats and operational best practices
Drive our security assessment, penetration testing, and bug bounty programs translating findings into comprehensive, systemic risk reduction strategies
Ensure all application security practices adhere to the Payment Card Industry Data Security Standard (PCI DSS) requirements
Participate in security incident response activities as a technical leader

Qualification

Application SecuritySecurity ArchitectureThreat ModelingPCI DSS ComplianceCloud ComputingSecurity AutomationProgramming LanguagesSecurity CertificationsProblem SolvingCollaborationCommunication SkillsCritical Thinking

Required

Demonstrated technical foundation (Computer Science / Engineering degree or equivalent experience) with an innate ability to translate technical vulnerabilities into organizational risks
8+ years of technical security experience at a top-tier software company, including hands-on experience with threat modeling, security design, security architecture, cryptography, mobile security, cloud computing technologies, and security products
Expert understanding of common application and infrastructure security vulnerabilities and mitigations (OWASP Top 10, CWE 25…)
Deep, demonstrable knowledge of the e-commerce transaction lifecycle and expert command of PCI DSS compliance standards within a high-transaction environment
Proven track record of driving the implementation of SDL processes, technology, and automation in sophisticated DevOps/DevSecOps environments
Experience with large-scale web applications and microservices, including API design, access management, authorization, authentication, data protection and encryption
Knowledge of major programming languages and frameworks (e.g. Python, C# .NET, JavaScript, node.js, Java...)
Exceptional problem solving, critical thinking, collaboration and communication skills with the ability to influence technical and executive leadership

Preferred

Experience in an e-commerce or high-transaction environment, specifically with knowledge of PCI DSS compliance requirements
Experience with Cloudflare security, AWS VPCs, EC2 instances and Docker/containers
Experience driving application security training, security champions and awareness campaigns
Active contributor to the security community (research, open source, publications…) with the ability to attract and hire great talent
Relevant security certifications (e.g., OSCP, CISSP, CSSLP)

Benefits

Employees (and their families) that meet eligibility criteria as outlined in applicable plan documents are eligible to participate in our medical, dental, vision, and basic life insurance programs and may enroll in our company’s 401(k) plan.
Employees will also be eligible for Time Off and Paid Sick Leave pursuant to the company’s policies.
Employees will enjoy paid holidays throughout the calendar year.
Hired applicant may be awarded Restrict Stock Units and receive annual bonuses pursuant to eligibility and performance criteria defined in the respective plan documents and policies.

Company

iHerb

twittertwittertwitter
Glassdoor4.1
company-logo
iHerb is on a mission to make health and wellness accessible to all.
dateFounded in 1996
location
Irvine, California, USA
people-size1001-5000 employees
web-link
http://www.iherb.com

H1B Sponsorship

iHerb has a track record of offering H1B sponsorships. Please note that this does not guarantee sponsorship for this specific role. Below presents additional info for your reference. (Data Powered by US Department of Labor)
Distribution of Different Job Fields Receiving Sponsorship
Represents job field similar to this job
Trends of Total Sponsorships
2025 (4)
2024 (2)
2023 (2)
2022 (6)
2021 (2)
2020 (1)

Funding

Current Stage
Late Stage

Leadership Team

leader-logo
BT Bitarafan
CTO
linkedin
leader-logo
Zach Thomann
Chief Operating Officer
linkedin

Recent News

GlobeNewswire
iHerb CEO Emun Zabihi Named Among Top 10 CEOs Transforming Healthcare
2025-12-11
Zawya.com
Oman: Asyad Express forms alliance with Temu, Landmark Group, Amazon
2025-12-08
PR Newswire
LEMME NAMED 2025 BRAND OF THE YEAR BY WWD
2025-11-19
Company data provided by crunchbase