Who are we?
Whatfix is a data-driven digital adoption platform (DAP) that enables organizations and users to
maximize the benefits of software. Whatfix acts as an interactive overlay on top of any application to
guide users with real-time guidance, self-help support, and user feedback. With product analytics
and AI, Whatfix enables scalable success with technology, maximizing productivity, and leveraging
data-driven insights for better decision-making. The company has seven offices globally in the US,
India, UK, Germany, Singapore, and Australia, and works with Fortune 500 companies around the
world. Whatfix has raised $140 million to date and is backed by marquee investors including
Softbank, Sequoia, Dragoneer, and Cisco Investments.

“Hustle Mode ON” is the motto we live by.
Whatfix has been named among the top 20 B2B tech companies like Adobe, PayPal, and
Cisco. With YoY revenue growth of over 65%, we have also been recognized among the top 20
fastest-growing SaaS companies worldwide in the SaaS 1000 list.
Recognized by Forrester and Everest Group as a 'Leader' in the digital adoption space, and
listed by LinkedIn among one of the Top 5 startups in India in 2020
Listed in Deloitte Technology Fast 500™ among fastest-growing companies in North America
for 2022 and 2021 and recognized as Great Place to Work 2022-2023
Whatfix has been named a Silver Winner in Stevie's Employer of the Year 2023.
Our Customer centricity is also evident from a Customer rating of 4.67 on G2 Crowd & 4.7 on
Gartner Peer Insights
Whatfix is disrupting the way Application Support and Learning content is consumed by providing
Contextual and Interactive WalkThroughs inside enterprise applications when a task is being
Performed. We provide enterprises with a Software Platform that allows them to create Interactive Guides or Flows that sit as an overlay inside any web application. Flows are Contextual—they appear based
on where you are in the application (location) and who you are (role). Optimal performance and
adoption of any web application are attained when there is easy access to Contextual Information
inside the application when a task is being performed.

What would you get to do?

The Product Security Engineer at Whatfix plays a critical role in ensuring the security of our applications, cloud services, and infrastructure. This role involves implementing and enforcing Secure Software Development Lifecycle (SSDLC) practices, conducting in-depth security assessments, and collaborating with development teams to remediate vulnerabilities. The engineer will be responsible for performing VAPT, security architecture reviews, and threat modeling while integrating security automation and best practices into the development process.

Additionally, the role includes coordinating external security assessments, managing bug bounty findings, conducting secure coding training, and working closely with GRC and TPRM teams to align security initiatives with compliance requirements. The ideal candidate will have expertise in application and API security, DevSecOps practices, and security testing tools, with a strong ability to communicate security risks and drive remediation efforts across engineering teams.

Job Description: 

• Implement and enforce Secure Software Development Lifecycle (SSDLC) practices across all Whatfix technology projects, ensuring security risks are effectively identified and mitigated throughout development.

• Conduct Vulnerability Assessment and Penetration Testing (VAPT) for SaaS applications, APIs, and cloud infrastructure, identifying security weaknesses and ensuring timely remediation in collaboration with development teams.

• Enhance application security by improving secure coding guidelines, integrating security automation, conducting developer training, and defining security metrics.

• Perform threat modeling using STRIDE to proactively identify security risks in the design phase and recommend effective mitigation strategies.

• Perform security architecture and design reviews, focusing on core security principles to enhance product security.

• Work closely with product and solution teams to achieve the objectives of the cybersecurity software security program.

• Conduct secure code reviews across various programming languages, identifying vulnerabilities and providing actionable recommendations for prevention and remediation.

• Perform both Manual and Automated Security Testing for identifying application vulnerabilities.

• Responsible for identifying security vulnerabilities, reporting issues, and collaborating with development teams to ensure timely remediation and closure.

• Responsible for coordinating and ensuring the successful execution of external VAPT assessments.

• Responsible for managing and assessing security issues reported through the bug bounty program, ensuring proper triage and remediation.

• Participate in both internal and external product security audits to ensure compliance and identify security improvements.

• Conduct and facilitate secure coding training sessions for engineering teams to enhance security awareness and best practices

• Collaborate with GRC and TPRM teams to align security initiatives with regulatory compliance, third-party risk management (TPRM), and security policies, ensuring adherence to industry standards & regulations such as GDPR, ISO 27001, SOC 2, and FedRAMP.

•  Ability to articulate and convey security threats and risks to diverse audiences, effectively emphasizing mitigation techniques and strategies

Who you are?

• In-depth knowledge of OWASP Top 10 and CWE 25, with a proven track record of implementing and integrating effective remediation strategies.

• Possess a strong understanding of microservices, APIs, and web applications, including their security best practices and potential vulnerabilities.

• Deep knowledge and experience in using SAST, DAST, IAST, SCA and fuzz testing tools.

• Experience in threat modeling using STRIDE, identifying potential security risks and implementing effective mitigation strategies.

• Knowledge of RESTful web services (client – server application) 

• Hands-on experience with automation and DevSecOps practices to enhance security integration in development workflows.

• Proficiency in high-level programming languages such as Java and .NET, with additional expertise in DAST code reviews as a plus.

• Strong understanding of SDLC methodologies, with flexibility to work in Agile environments.

• Proven experience in providing technical oversight to project team members, ensuring engagement quality and adherence to security best practices.

• Familiarity with code management systems (e.g., BitBucket), CI/CD pipelines (e.g., Jenkins), containerization (Docker, Kubernetes), microservices architecture, and authentication frameworks like OAuth 2.0 and OpenID Connect.

• Well-versed in both waterfall and agile development models, with experience embedding secure development practices in both.

• Extensive experience in driving and implementing Secure SDLC (SSDLC) practices, ensuring seamless security integration into the development process.

• Proficient in at least two scripting languages, such as Python, Perl, PHP, or Ruby.

• Experience in performing static code analysis using tools like Checkmarx, Github advanced code security to identify security vulnerabilities.

Qualifications:

• Qualification Required: Bachelor/Master Degree in either Computer Engineering or Information science 

• Preferred certifications: OSCP, CEH, ECSA, or other industry-recognized security certifications.

• Minimum experience: 5–8 years of experience in Product Security

Note: 

• At Whatfix, we thrive on the power of collaboration, innovation, and human connection. We strongly believe that working together in our office (five days a week)  fosters open communication, builds a sense of community, fuels innovation, and enables us to achieve our collective goals effectively.

• We strive to live and breathe our Cultural Principles and encourage employees to demonstrate some of these core values - Customer First; Empathy; Transparency; Fail Fast and scale Fast; No Hierarchies for Communication; Deep Dive and innovate; Trust, Do it as you own it; 

We are an equal opportunity employer and value diverse people because of and not in spite of the differences. We do not discriminate on the basis of race, religion, color, national origin, ethnicity, gender, sexual orientation, age, marital status, veteran status, or disability status