Marketplace Security Lead

Description:

We are seeking a Marketplace Security Engineer to ensure the security posture, compliance, and assessment process of all apps within monday.com’s marketplace. This role will be pivotal in safeguarding our customers, empowering developers, and aligning our marketplace with industry-leading security standards.

Marketplace Security Framework

• Own and maintain a robust program that ensures the security framework of all apps in the marketplace.
• Work with Marketplace teams (Product and R&D) for incorporating security checks as part of app submission and ongoing lifecycle (ideally - develop new capabilities and scans that would be embedded from the product side)
• Define, implement, and continuously enhance security requirements for marketplace apps badges and security levels for apps
• 
  
• Assure the app security posture checks corresponds with relevant controls from known security frameworks (ISO27001, HIPAA, NIST 800-53, etc) to provide customer

Security Championship & Operations

• Collaborate and work closely with monday.com’s Application Security team to Establish and maintain alignment between app security processes and monday.com’s security standards and best practices.
• Define, implement, and continuously enhance security and compliance requirements for marketplace apps, including prerequisites for badges such as "Hosted on monday" and "Shield badge"
• Oversee external validation mechanisms such as vulnerability scans, penetration tests, and security audits of marketplace apps.
• Validate developer-submitted security and compliance questionnaires, ensuring proper evidence and truthfulness.
• Maintain up-to-date security and compliance records for all apps in the marketplace.
• Continuously monitor marketplace apps and lead incident response for marketplace apps in the event of security breaches or vulnerabilities.

Developer Community Security Enablement

• Define clear guidelines on security gates and requirements for secure app development
• Create and deliver training for the developer community (for the developer community (i.e. non-employee monday.com app developers) on such guidelines, including webinars and developer-facing documentation.
• Engage with developer community in case of feedback, disputes and overall inquiries.
• React to emerging threats and vulnerabilities, providing guidance to developers on mitigation strategies..

Collaboration and Stakeholder Engagement

• Partner with marketplace product managers to gather customer feedback and perform competitive analysis, ensuring marketplace security framework meets industry and customer standards.
• Act as a focal point for security within the marketplace, representing monday.com in external forums or discussions on app security.
• 
  
• Engage with industry marketplace security teams to collaborate and exchange ideas

• Has 3-4 years of experience as a security engineer or security development (as part of the product)
• Strong knowledge of security frameworks and secure development practices.
• Knowing the web application stack - JavaScript, APIs (REST/GraphQL), OAuth, HTML5 and main web app vectors of attacks - XSS, SQL/prompt injections, etc.
• Hands-on experience with vulnerability scanning tools, security testing, and incident response processes
• Familiarity with GRC principles, including risk assessments, compliance reviews, and policy management.
• Familiarity with bug bounty programs and other community-driven security initiatives.
• Advantage: experience in security research, including setting up labs for forensics and malware analysis
• Advantage: background in providing PoCs as a base for product features
• Strong interpersonal skills with focus on education and collaboration
• Excellent communication skills
• Ability to train developers
• collaborate with cross-functional teams..
• A proactive and detail-oriented approach to problem-solving and risk management.
• Self starter and ability to move things from 0 to 1

Advantage: Familia