Lead the security hardening of a global ecommerce platform that serves millions of customers across 100+ countries. This is a hands-on principal-level role for someone who can set the secure-by-default standard, automate the controls, and still jump in when the threat landscape shifts.
About iHerb
iHerb’s mission is to make health and wellness accessible to all through a massive ecommerce platform dedicated to vitamins, supplements, and wellness products. They ship 50,000+ products from 1,800+ brands to customers in 180+ countries. Their scale is real, which means their security expectations are, too.
Schedule
Full-time
Fully remote (must reside in the U.S.)
High-impact role in a fast-paced, global ecommerce environment
What You’ll Do
⦁ Lead enterprise-wide Secure Development Lifecycle (SDL) strategy and execution across the platform
⦁ Conduct security design reviews and advanced threat modeling for mission-critical services
⦁ Establish secure architecture standards and patterns across application, cloud-native, and infrastructure layers
⦁ Evaluate and govern security tooling and services (DAST, SAST, SCA, WAF, secrets management, and more)
⦁ Track emerging threats, assess applicability, and implement centralized mitigations proactively
⦁ Drive security assessments, penetration testing, and bug bounty programs to reduce systemic risk
⦁ Ensure application security practices meet PCI DSS requirements across the transaction lifecycle
⦁ Participate in incident response as a technical security leader when it matters most
What You Need
⦁ 8+ years of hands-on security experience at a strong software company, with deep application security leadership
⦁ Strong security architecture and threat modeling expertise across modern services and platforms
⦁ Expert knowledge of application and infrastructure vulnerabilities and mitigations (OWASP Top 10, CWE, etc.)
⦁ Deep understanding of ecommerce transaction flows and PCI DSS compliance in high-volume environments
⦁ Proven experience implementing SDL processes, automation, and tooling in DevOps or DevSecOps environments
⦁ Experience securing large-scale web apps and microservices including APIs, authN/authZ, encryption, and data protection
⦁ Working knowledge of major languages and frameworks (Python, C#/.NET, JavaScript/node.js, Java, etc.)
⦁ Strong communication skills with the ability to influence both engineers and executive leadership
Benefits
⦁ Anticipated pay scale: $176,534 to $264,801 USD (varies by location and experience)
⦁ Medical, dental, and vision coverage for eligible employees and families
⦁ 401(k) plan
⦁ Paid time off, paid sick leave, and paid holidays
⦁ Potential for annual bonuses and Restricted Stock Units (based on eligibility and performance)
This is not a “check the box” security role. It’s a build-the-system, harden-the-platform, own-the-risk seat.
Happy Hunting,
~Two Chicks…