Principal Application Security Engineer

Location and Remote Policy

United States of America – Remote / Home Office – must reside in U.S.

Are you passionate about securing global‑scale e‑commerce services and applications that power millions of customers across more than a hundred countries?

We are looking for a hands‑on Principal Product Security Engineer to lead Secure Development Lifecycle assurance processes, security automation technologies, the hardening strategy across our product, and respond to current and emerging security threats.

• Lead cross‑functional projects and establish cutting‑edge security development lifecycle practices.
• Directed security design reviews and threat modeling for new and existing services at iHerb.
• Evaluate, prototype, implement, and operate security‑focused tools and services.
• Create new secure architecture standards, frameworks and patterns spanning multiple layers.
• Discover and analyze emerging security threats, determine applicability to iHerb and proactively implement centralized mitigations.
• Maintain a strong knowledge of current security threats and operational best practices.
• Drive security assessment, penetration testing and bug bounty programs.
• Participate in security incident response.

• Demonstrated technical foundation (Computer Science / Engineering degree or equivalent).
• 10+ years of technical security leadership at a top‑tier software company including experience with security products, threat modeling, security design, security architecture, cryptography, mobile security and broader cloud computing technologies.
• Solid understanding of common application and infrastructure security vulnerabilities and mitigations (OWASP Top 10, CWE…).
• Proficiency implementing SDL process, technology, and automation in a Dev Ops environment.
• Experience with large‑scale web applications and microservices, including API design, access management, authorisation, authentication, data protection and encryption.
• Excellent problem‑solving, critical thinking, collaboration and communication skills.

• Experience with Cloudflare security, AWS VPCs, EC2 instances and Docker.
• Ability to drive good decisions through data with great attention to detail and deliver KPIs.
• Experience driving application security training, security champions and awareness campaigns.
• Active contributor to the security community (research, open source, publications…).

The anticipated pay scale for this position can be found below; it may vary by geographic location. The final pay offered to a successful candidate will depend on experience, skill set, and other factors.

Employees and their families that meet eligibility criteria may participate in our medical, dental, vision, and basic life insurance programs, and enroll in our 401(k) plan. Employees are also eligible for time off, paid sick leave, and paid holidays. RSUs and annual bonuses may be awarded based on eligibility and performance. For more information on iHerb benefits, visit

iHerb is on a mission to make health and wellness accessible to all. We are the world’s largest e‑commerce platform dedicated to vitamins, minerals and supplements, serving consumers in over 180 countries with more than 50,000 products from 1,800 brands.

iHerb is an equal‑opportunity employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability or veteran status. iHerb prohibits discrimination and harassment.