Application Security Engineer

You will be working in a fast-paced DevSecOps environment where code change happens at a rapid speed and where it is paramount to control security testing into a continuous deployment/integration flow.
In this Role, you’ll get to:

• Play a lead role in developing and designing application-level security controls and standards.
• Perform application security design reviews against new products and services.
• Track and prioritize all security issues.
• Build internal security tools that help fix security problems at scale.
• Perform code review and drive remediation of discovered issues.
• Enable automated security testing at scale to measure vulnerability, and report on risk across all microservice, web and mobile platforms.
• Execute security tests on thousands of servers which are spread across on-premise and public cloud data centers.

What you’ll Need to Succeed:

• Strong foundations in software engineering.
• Minimum of 7 years of technical experience with any combination of the following: threat modeling experience, secure coding, identity management and authentication, software development, cryptography, system administration and network security.
• Minimum 2 years experience with Software Development Life Cycle in one or more languages (Rust, Python, Go, Nodejs, etc.)
• Minimum 1 year experience with public/private cloud environments (Openshift, Rancher, K8s, AWS, GCP, Azure, etc.)
• Experience in running assessments using OWASP MASVS and ASVS
• Working knowledge on exploiting and fixing application vulnerabilities
• Strong background in threat modeling
• In-depth knowledge of common web application vulnerabilities (i.e. OWASP Top 10)
• Familiarity with automated dynamic scanners, fuzzers, and proxy tools
• An analytical mind for problem solving, abstract thought, and offensive security tactics
• Highly effective communication skills, in both verbal and written forms, to effectively convey technical and non-technical concepts to a wide variety of audiences.

Desired candidate profile

• Security Testing and Vulnerability Assessment:

  • Static Application Security Testing (SAST): Perform static code analysis to identify security vulnerabilities in the source code early in the development lifecycle, before the code is executed.
  • Dynamic Application Security Testing (DAST): Use automated tools and manual techniques to simulate attacks on running applications to identify vulnerabilities such as SQL injection, cross-site scripting (XSS), and insecure data storage.
  • Penetration Testing: Conduct manual and automated penetration testing to exploit vulnerabilities in applications and report findings.
  • Threat Modeling: Work with development teams to conduct threat modeling exercises, identifying potential security threats and weaknesses in the application's architecture and design.

• Vulnerability Management:

  • Identifying Security Flaws: Work with development and operations teams to identify security flaws in applications and ensure that they are addressed before release.
  • Prioritizing Vulnerabilities: Assess the severity and risk of vulnerabilities, and provide guidance on which flaws to prioritize based on the potential impact and exploitability.
  • Fixing and Mitigating Vulnerabilities: Collaborate with developers to implement fixes for identified vulnerabilities, ensuring that the necessary patches are applied without compromising application functionality.

• Security Design and Architecture:

  • Secure Code Practices: Promote the adoption of secure coding practices and provide guidance on writing secure code to prevent vulnerabilities from being introduced during development.
  • Security Architecture: Ensure that security is incorporated into the software architecture, including secure authentication mechanisms, encryption, and secure access controls.
  • Integrating Security Tools: Work with DevOps teams to integrate security tools into the continuous integration/continuous deployment (CI/CD) pipeline to automatically test applications for vulnerabilities throughout development.

• Incident Response and Investigation:

  • Responding to Security Incidents: Investigate application security incidents, including security breaches, data leaks, and exploitation of vulnerabilities.
  • Post-Incident Analysis: Conduct post-incident reviews to identify what went wrong and recommend improvements to prevent similar incidents in the future.

• Compliance and Standards:

  • Regulatory Compliance: Ensure that applications comply with relevant regulations and industry standards (e.g., GDPR, HIPAA, PCI DSS) to protect sensitive data and ensure privacy.
  • Security Audits: Participate in or conduct internal and external security audits to evaluate the effectiveness of security controls and identify areas for improvement.
  • Security Best Practices: Advocate for security best practices within the development process, ensuring that the product is secure by design.

• Training and Awareness:

  • Developer Training: Conduct training sessions for developers to educate them on secure coding practices, common vulnerabilities (e.g., OWASP Top 10), and security tools.
  • Awareness Programs: Raise awareness about security issues across the development team and organization, encouraging a culture of security-conscious development.

• Security Automation:

  • Automating Security Testing: Implement automated security testing tools and scripts to scan for vulnerabilities continuously as part of the development pipeline.
  • Continuous Monitoring: Set up systems to continuously monitor applications for new vulnerabilities or security threats, ensuring that they remain secure even after deployment.