Senior SaaS Security Engineer

About the Role

• Build enterprise SaaS security program: charter, operating model, RACI, roadmap, ISO 27001 control mapping, and KPIs. • Create a single source of truth SaaS inventory, integrating procurement, SSO/IDP, network, CASB/SSE, SSPM, and expense data. • Define SaaS risk tiering and baseline controls based on data classification and business criticality. • Implement and operationalize SSPM, extending CASB/SSE for continuous posture assessment, misconfiguration detection, and auto‑remediation pipelines. • Engineer governed OAuth/consent patterns across IDP and key platforms (Salesforce, Microsoft 365, Workday, Atlassian, etc.) including app catalogs, pre‑approved scopes, least‑privilege, token hygiene, and device trust signals. • Define and enforce SSO/MFA, SCIM provisioning, tenant segmentation, conditional access, SaaS DLP, and API logging/telemetry standards. • Establish secure configuration baselines and policy‑as‑code automations (Terraform/OPA/CLI) for major SaaS platforms. • Integrate SaaS signals into SIEM/SOAR and develop detection content for OAuth abuse, consent anomalies, data exfiltration, admin drift, and risky API usage. • Author and execute SaaS incident response playbooks covering token theft, consent rollback, key rotation, scope reduction, app quarantine, containment, forensics, and lessons learned. • Codify SaaS security standards and exception management with GRC; embed controls into procurement, vendor risk, and IT change processes. • Align SaaS security activities to SOX ITGC, GDPR/CCPA, SOC 2/ISO audit evidence and other regulatory requirements. • Drive adoption through a curated enterprise app catalog, secure patterns, admin training, migration plans, and publish dashboards on coverage, high‑risk apps, posture, MTTR, and consent trends.

Key Responsibilities

• ▸sspm
• ▸oauth governance
• ▸policy‑as‑code
• ▸siem integration
• ▸ir playbooks
• ▸grc

What You Bring

• Bachelor’s degree from an accredited institution. • 8+ years in security, with at least 3 years focused on SaaS security in large enterprises (5k+ employees). • Deep expertise in OAuth 2.0/OIDC, SAML, SCIM, JWT/PKCE, token hygiene/rotation, consent governance, and least‑privilege scopes. • Hands‑on experience with major SaaS ecosystems at scale (Salesforce, Microsoft 365/Entra ID, Google Workspace, ServiceNow, Workday, Slack, Atlassian). • Experience operationalizing SSPM and/or CASB/SSE, integrating IDP signals into SIEM/SOAR, and building detections and automations. • Strong knowledge of NIST 800‑53/CSF, ISO 27001, CIS Controls v8, CSA CCM and mapping to SaaS controls. • Incident response experience for SaaS/OAuth/token compromise scenarios. • Proficiency in scripting/automation (Python, PowerShell, Node) and IaC/policy‑as‑code. • Preferred: prior leadership of a SaaS/OAuth security initiative, DLP and data classification experience, familiarity with SOX ITGC and privacy‑by‑design, relevant certifications (CISSP, CCSP, CCSK, vendor accreditations), and evidence of thought leadership.

Requirements

• ▸oauth
• ▸saml
• ▸sspm
• ▸python
• ▸cissp
• ▸incident response

Benefits

Joining CoStar offers a collaborative, innovative culture with competitive compensation, performance‑based incentives, professional development opportunities, tuition reimbursement, and a comprehensive benefits package that supports health, wealth, and work‑life balance. • Comprehensive medical, vision, dental, and prescription drug coverage. • Life, legal, and supplemental insurance. • Virtual and in‑person mental health counseling for individuals and families. • Commuter and parking benefits. • 401(k) plan with matching contributions. • Employee stock purchase plan. • Paid time off and tuition reimbursement. • On‑site (or reimbursed) fitness center, yoga studio, Peloton, personal training, and group exercise classes. • Access to Diversity, Equity & Inclusion employee resource groups. • Complimentary gourmet coffee, tea, hot chocolate, fresh fruit, and healthy snacks.

Work Environment

Office Full-Time