iHerb
Principal Application Security Engineer
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About iHerb
iHerb is the largest e-commerce platform focused on health and wellness products, including vitamins, minerals, and supplements. Founded in 1996 in California, it has grown from a small operation to a global enterprise serving millions of customers in over 180 countries. The company offers more than 50,000 products from over 1,800 brands, covering categories such as sports nutrition, personal care, and pet products. iHerb features proprietary brands, a customer review system, and a rewards program. It operates nine fulfillment centers across the U.S. and Asia, with plans for further expansion. The company has also partnered with notable wellness brands, enhancing its appeal in the market. With a dedicated team of over 4,000 employees and a commitment to quality, iHerb continues to innovate and provide a localized shopping experience for its diverse customer base.
Security at iHerb
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“iHerb's Application Security mission is to "lead our Secure Development Lifecycle assurance processes". Their approach to developer enablement includes "Experience driving application security training, security champions and awareness campaigns". The company's risk philosophy involves conducting "security design reviews and sophisticated threat modeling". A stated goal is to "Drive our security assessment, penetration testing, and bug bounty programs". Information regarding explicit statements describing developer experience (e.g., "paved road"or "security sign-off") beyond hiring language is not publicly available.”
Security Team
The organizational structure and reporting lines for iHerb's AppSec team are not publicly available. A key public-facing leader is Andrew Paulsen, described as a "trusted security advisor". A LinkedIn search for "iHerb""Application Security"OR "Security Engineer"(geo: global) yielded very limited individual profiles, and explicit team size is not publicly available. As of, there are 2 active AppSec job postings: an Application Security Lead (Job ID 7569137003) and a Principal Application Security Engineer (Job ID 6685839003). Common skill and tool patterns from job postings include "DAST, SAST, SCA, WAF, Secrets Management", adherence to "Payment Card Industry Data Security Standard (PCI DSS)", and experience with "Cloudflare security, AWS VPCs, EC2 instances and Docker/containers". Vendor/product names for SAST/SCA/DAST solutions are not listed in public job postings.
Key Initiatives
iHerb has a Security Champions Program, evidenced by the mention of "Experience driving application security training, security champions and awareness campaigns". Their "Shift Left"approach is indicated by the mission to "lead our Secure Development Lifecycle assurance processes". For vulnerability management, intake involves driving "security assessment, penetration testing, and bug bounty programs". However, information regarding SLAs, MTTR, ticket ownership, or specific triage workflows is not publicly available. Secure SDLC artifacts include conducting "security design reviews and sophisticated threat modeling"and ensuring "all application security practices adhere to the Payment Card Industry Data Security Standard (PCI DSS)". Recent initiatives (within the last 6 months) include active hiring for senior AppSec roles, with postings dated and emphasizing SDL, automation, and governance. No other explicit new program announcements, tool rollouts, or policy changes were found in public sources. Public documentation describing day-to-day workflows for vulnerability triage, developer pull-request gating, or remediation SLAs is not available.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.