Clarivate
Application Security Engineer (WAF / Cloud Security)
Full details on LinkedIn
The complete job description, requirements, and application details are available on the original posting.
About Clarivate
Clarivate is a global information services company founded in 2016, resulting from the acquisition and spin-off of Thomson Reuters' Intellectual Property and Science business. It is publicly traded on the NYSE under the symbol CLVT and has a rich history that includes the world's oldest database of animal biology, the Zoological Record. The company operates through three main business units: Intellectual Property Group, Life Sciences & Healthcare Group, and Academic and Government Group. Clarivate provides a range of services, including extensive databases like Web of Science and Derwent Innovation, intellectual property solutions such as patent analysis and trademark protection, and scientific research tools for universities and research institutions. Additionally, it offers life sciences analytics through products like Cortellis, supporting clients in drug development and regulatory processes. Clarivate serves a diverse clientele, including academic institutions, corporations, government organizations, and law firms, emphasizing its role as a trusted partner in innovation.
Security at Clarivate
Compiled from public job postings, careers pages, and company materials. Data may not reflect current state — verify during interviews.
Security Philosophy
“Clarivate's AppSec philosophy emphasizes security-by-design, embedding security aspects from early stages of design, development, and implementation. They utilize a defined Secure Software Development Lifecycle and incorporate security specific test plans within their Quality Assurance processes. Testing involves Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). Their risk philosophy includes establishing design requirements, analyzing attack surface, and threat modeling. Explicit statements on pain points/goals or a 'developer-first' vs 'gatekeeping' approach were not publicly available.”
Security Team
Clarivate's product security is embedded within its global security team, which includes Security Engineering & Operations, Product Security, Security Architecture, and Governance, Risk & Compliance. Scott Breece is identified as the Senior Vice President and Chief Information Security Officer. Team size estimates and other public-facing AppSec leaders are not publicly available. As of, there is one active AppSec job posting for a 'WAF Cyber Security Engineer'. Common skills and tools mentioned in job postings include Web Application Firewalls (WAF), DAST, RBVM, SAST, and cloud platforms (AWS, Azure, GCP). No public org chart explicitly states whether AppSec reports to CISO vs CTO, though it sits within the global security team.
Key Initiatives
Clarivate does not publicly show evidence of a Security Champions Program. Their 'Shift Left' approach is evidenced by 'security by design' and a secure SDLC, with security aspects embedded from early stages and security-specific test plans in QA processes, but lacks explicit pre-commit, IDE, or CI/CD tool specifics. Their vulnerability management process includes an external researcher program via HackerOne and formal procedures to assess, validate, prioritize, and remediate identified issues. Secure SDLC artifacts include establishing design requirements, analyzing attack surface, threat modeling, and utilizing SAST and DAST. Recent initiatives include active hiring for a Cyber Security Engineer, but other program rollouts or policy changes in the last six months are not publicly available. Gaps include no public documentation on SLAs, MTTR targets, exact triage ticket ownership, or internal Security Champions program structure.
Preparing for an AppSec interview?
Get the weekly briefing 2,000+ security pros trust.