AppSec Jobs
← Back to all jobs

Postman

Senior Security Engineer, Application Security

San Francisco, CAWebsite

Full details on LinkedIn

The complete job description, requirements, and application details are available on the original posting.

About Postman

Postman is a leading API platform founded in 2014, originally as a side project to simplify API testing. It supports the entire API lifecycle, including planning, design, implementation, testing, deployment, and versioning. The platform allows developers to make HTTP requests, manage environments, and convert APIs to code in various programming languages. Postman also hosts the largest public collection of APIs, utilized by millions of users each month. The company was co-founded by Abhinav Asthana, Abhijit Kane, and Ankit Sobti in Bangalore, India. It has grown significantly from its early days, expanding from a small team to over 850 employees today, with a global presence that includes offices in San Francisco, Bangalore, and Japan. Postman fosters a culture of curiosity, trust, and collaboration, encouraging innovation and transparency within its community.

Industry

information technology & services

Employees

3,400

346 engineers

Revenue

$313M

Website

Visit →

Security at Postman

Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.

3 Intel Signals

Security Philosophy

  • Postman's AppSec philosophy involves using security frameworks and industry standards throughout the software development lifecycle, uncovering OWASP vulnerabilities during testing, and assigning CVSS scores to issues.
  • Their approach is seen as a dynamic, evolving strategy rather than a mere checklist.
  • They also focus on developer enablement through Product Security Scorecards that link controls to developer actions and aim to avoid disruption.

Security Team

Postman employs an embedded AppSec model where "Every engineering team in Postman has an assigned Security Engineer."Key public-facing leaders include Sam Chehab, who is the Head of Security, and Gustavo De Leon, who authored the Product Security Scorecards. The exact AppSec team headcount or formal reporting line (e.g., to CISO vs. CTO) is not publicly available. A LinkedIn search found 12 results for security roles.

Key Initiatives

Postman implements "shift-left"practices including "PR (Pull Request) Scanning"enabled by default, company-wide "PR Blocking,"and "client-side git hooks"for vulnerable dependency identification. Their vulnerability management process involves assigning CVSS scores to all issues, using an automated tool for source code analysis before every production release, and collecting outstanding security items via "Security Asks."They also run a "private bug bounty program with HackerOne."An explicit "Security Champions"program charter is not publicly available.

Preparing for an AppSec interview?

Get the weekly briefing 2,000+ security pros trust.