Senior API Security Engineer - Application Security

Get Referred

Job Description

You Lead the Way. We’ve Got Your Back.

At American Express, we know that with the right backing, people and businesses have the power to progress in incredible ways.  Whether we’re supporting our customers’ financial confidence to move ahead, taking commerce to new heights, or encouraging people to explore the world, our colleagues are constantly redefining what’s possible - and we’re proud to back each other every step of the way. When you join #TeamAmex, you become part of a diverse community of over 60,000 colleagues, all with a common goal to deliver an exceptional customer experience every day.

American Express is seeking a Senior API Security Engineer with proven strong technical competence and leadership capability to contribute towards the success of enterprise wide API security initiatives.The Senior API Security Engineer serves as a subject matter expert in API security, performs threat modeling of APIs and plays an integral role in managing, monitoring & reporting on API security risk reduction. The Senior API Security Engineer supports the security champion practice by evangelizing API security principles and controls.

Primary Responsibilities

  • Conduct and facilitate day-to-day threat modeling of web APIs within the established SLAs.
  • Document risk management plans for API threat models to effectively communicate residual risks to the business.
  • Perform ongoing governance and follow-through with API owners to ensure implementation of threat based requirements.
  • Develop, deliver and keep up-to-date API security standard requirements and design patterns.
  • Manage ongoing security exceptions to API security standards.
  • Perform API security code reviews and attest to API security standard compliance.
  • Validate implementation of API security controls against outputs of vulnerability testing tools to enable auditability and verifiability.
  • Serve as an API security technical advisor to application teams.
  • Evangelize API security design principles.
  • Be recognized as an API security subject matter expert within the organization.

Minimum Qualifications

Security and Technical Experience

  • Direct hands on experience developing and securing web APIs and web applications: REST, SOAP, gRPC.
  • Direct hands on experience with security testing of web services and web APIs.
  • Solid hands on experience with leading threat modeling exercises for applications and services.
  • Direct hands on experience with threat modelingframeworks, attack vectors an vulnerability analysis: CAPEC, ATT&CK, STRIDE.
  • Solid understanding of risk management, security architecture and secure SDLC practices.
  • Strong experience and understanding of API identity and access management controls: OAuth 2.0, OIDC, JWT
  • Strong experience and understanding of familiarity with cryptography controls: Data at rest, in motion and in-use.
  • Experience with industry standards and frameworks: NIST 800-53, NIST CSF, OWASP, SANS Top 25.
  • Experience with Java, Javascript and mobile application development.
  • Familiarity with database architectures: Oracle, SQL and NoSQL Databases.

Key Behaviors/Competencies

  • Self-directed, Confident Team Player
  • Strong Technical Thinker
  • Strong Planning, Execution and Collaborative skills
  • Strong Communication skills Strong verbal and written communication skills. Ability to document risk and control summary artifacts that translates complex threat models into easy to read reports for the business.
  • Openness to Learning: Takes personal responsibility for learning and upskilling. Acquires strategies for gaining new knowledge, behaviors and skills. Builds on and applies existing knowledge. Engages in learning from others, inside and outside the organization.
  • Adaptability: Demonstrates flexibility within a variety of changing situations, while working with individuals and groups. Changes his or her own ideas or perceptions in response to changing circumstances.
  • Business Acumen: Demonstrates an awareness of American Express internal dynamics


  • Bachelor's degree in computer science, information systems, cybersecurity, or a related field.
  • Atleast 5 years experience with threat modeling, secure application design and development practices.

Preferred Security Certifications

  • CISSP, SANS GIAC or similar certifications

Employment eligibility to work with American Express in the U.S. is required as the company will not pursue visa sponsorship for these positions.

American Express is an equal opportunity employer and makes employment decisions without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, protected veteran status, disability status, age, or any other status protected by law.

ReqID: 21005070
Schedule (Full-Time/Part-Time): Full-time
Date Posted: Apr 15, 2021, 11:39:22 AM