Apply on Employer Site

CoStar Group · 5 days ago

Senior SaaS Security Engineer

Arlington, VA

Full-time

Onsite

Senior Level, Lead/Staff

8+ years exp

CoStar Group is a leading global provider of commercial and residential real estate information, analytics, and online marketplaces. They are seeking a Senior SaaS Security Engineer to evolve their corporate environment and build a strong practice in SaaS Application Security.

AnalyticsCommercial Real EstateReal Estate

No H1B

Responsibilities

Build the enterprise SaaS Security program: charter, operating model, RACI, roadmap, control framework mapping to ISO 27001, and KPIs

Stand up a single source of truth for SaaS inventory (shadow IT included), integrating procurement, SSO/IDP, network/DNS/forward proxy, CASB/SSE, SSPM, and expense data

Define SaaS risk tiering and baseline control requirements by data classification and business criticality

Implement and operationalize SSPM and extend existing capabilities in CASB/SSE: continuous posture assessment, misconfiguration detection, and auto-remediation pipelines

Engineer governed OAuth/consent patterns across IDP and key platforms (e.g., Salesforce, Microsoft 365/Entra ID, Workday, Atlassian, and Others):

Enterprise app catalogs, pre-approved scopes, just-in-time reviews, least privilege scopes, refresh token hygiene, IP/session restrictions, device trust signals, token revocation patterns

Define and enforce SSO/MFA mandates, SCIM provisioning, tenant segmentation, conditional access, DLP for SaaS, and API logging/telemetry standards

Establish secure configuration baselines and policy-as-code (e.g., Terraform/OPA/CLI automations) for major SaaS platforms

Integrate SaaS signals (SSPM/CASB, platform event logs like Salesforce Event Monitoring, M365, Okta/Entra) into SIEM/SOAR with detection content for OAuth abuse, anomalous consent, data exfiltration, Admin drift, and risky API usage

Author and exercise SaaS IR playbooks: token theft response, consent rollback, key rotation, scope reduction, app quarantine, containment & comms, forensics & lessons learned

Codify SaaS security standards and exception management with GRC; embed control checks into procurement/vendor risk and IT change processes

Align to SOX ITGC, privacy (e.g., GDPR/CCPA), regulatory audits, and customer assurance (SOC 2/ISO) evidence

Drive business adoption: curated enterprise app catalog, secure patterns, training for Admins and app owners, and migration plans for risky patterns

Publish dashboards and metrics for leadership (coverage, high-risk apps, misconfig posture, incident MTTR, consent trends)

Qualification

SaaS security expertiseOAuth 2.0/OIDCScripting/automationIncident response experienceNIST 800-53/CSFISO 27001CASB/SSE operationalizationData Loss Prevention (DLP)Certifications CISSPCertifications CCSPLeadership experience

Required

Bachelor's Degree required from an accredited, not for profit university or college

A track record of commitment to prior employers

8+ years in security with 3+ years specializing in SaaS security across large enterprises (5k+ employees)

Deep expertise in OAuth 2.0/OIDC, SAML, SCIM, JWT/PKCE, token hygiene/rotation, consent governance, and least-privilege scopes

Hands-on with one or more major SaaS ecosystems at scale: Salesforce (Connected Apps, Shield, Event Monitoring), Microsoft 365/Entra ID, Google Workspace, ServiceNow, Workday, Slack, Atlassian

Operationalizing SSPM and/or CASB/SSE; integrating IDP signals into SIEM/SOAR; building detections and automations

Strong grasp of NIST 800-53/CSF, ISO 27001, CIS Controls v8, CSA CCM, and mapping to SaaS controls

Incident response experience for SaaS/OAuth/token compromise scenarios

Scripting/automation (e.g., Python, PowerShell, or Node), and IaC/policy-as-code experience

Preferred

Prior leadership of a SaaS/OAuth security initiative from zero-to-one in a complex enterprise

Experience with DLP, data classification, eDiscovery/legal hold in SaaS

Familiarity with SOX ITGC and privacy-by-design in SaaS workflows

Certifications: CISSP, CCSP, CCSK, vendor accreditations (e.g., Salesforce Security & Privacy AP, Okta/Entra certs)

Evidence of thought leadership (runbooks, talks, open-source/policy-as-code contributions)

Benefits

Comprehensive healthcare coverage: Medical / Vision / Dental / Prescription Drug

Life, legal, and supplementary insurance

Virtual and in person mental health counseling services for individuals and family

Commuter and parking benefits

401(K) retirement plan with matching contributions

Employee stock purchase plan

Paid time off

Tuition reimbursement

On-site fitness center and/or reimbursed fitness center membership costs (location dependent), with yoga studio, Pelotons, personal training, group exercise classes

Access to CoStar Group’s Diversity, Equity, & Inclusion Employee Resource Groups

Complimentary gourmet coffee, tea, hot chocolate, fresh fruit, and other healthy snacks