Vacancy expired!
Our client, a leading financial services organization, is seeking a talented Application Security Engineer.
Reporting to the BISO, the Application Security Engineer is responsible for the application security program. This position requires a passion for data protection, possesses a combination of either application development and/or security experience, strong communication and organizational skills, collaborative abilities, self-motivation, innovation, efficiency, and attention to detail. This position will perform a variety of application security responsibilities across business units and be the primary resource for our application security program. This role serves as a trusted application security advisor to scrum teams to drive best practices for application security, to help ensure the confidentiality, integrity and availability of our web and application program interfaces (API). The Application Security Engineer is deeply involved with our application scrum teams and is instrumental in helping define the strategy to meet the information security organizations high level goals, while still being embedded within the scrum team processes and serve as a subject matter expert in secure development practices. This is a critical role requiring strategic thinking, taking initiative, and proactive interaction at many levels. This role will receive strong support of the Head of Technology and the Information Security Leadership, to effectively execute on defined organizational goals and strategic plans.Section 2: Job Functions, Essential Duties and Responsibilities- Responsible for protecting, securing, and proper handling of all confidential data to ensure against unauthorized access, improper transmission, and/or unapproved disclosure of information that could result in harm to our clients.
- Our I-Client service philosophy and our Core Values of People Matter, Quality First and Integrity Always® should be visible in your actions on a day-to-day basis showing your support of our organization
- In conjunction with security and development leadership develops a comprehensive, agile, and innovative DevSecOps approach that supports all phases of the software development lifecycle (SDLC), identifies, and effectively manage risk.
- Provide security consultation to scrum teams, application owners, and technology teams on relevant security controls and secure SDLC process
- Participate in sprint planning meetings and various decision-making sessions to ensure that security requirements and considerations are built into the development practices
- Conduct application security analysis, including architecture review, analysis of data flows, penetration testing support, and threat modeling
- Build and monitor compliance with application security policies, coding standards, and security controls in support of mitigating threats
- Responsible for the deployment and integration of services to support SAST, DAST and SCA functions. Assist development teams in performance of static and dynamic testing, triage findings and provide remediation guidance where necessary
- Assist with other tasks and projects as assigned
- A minimum of 7 years' experience in Secure Software Development and/or DevSecOps (preferred)
- Ability to define software security and privacy requirements
- Solid understanding of threat modeling, risk, and mitigation from internal and external threats
- Experience with development of system security architecture diagrams and security architecture specification per security architecture standards
- Experience performing software security design reviews
- Experience running security testing tools into a CI/CD pipeline including tools such as Static and Dynamic Application Security
- Testing (SAST/DAST) and Software Composition Analysis (SCA)
- Experience with application testing tools (e.g., Burp Suite, Fiddler, Zap, Wireshark, Metasploit)
- Experience with configuration WAF, API Gateway, API Security Tools
- Solid understanding of the most common application and API security risks (OWASP Top 10, SANS/CWE Top 25)
- Solid understanding of application, database and network vulnerability testing principles
- Working knowledge of the Microsoft Security Development Lifecycle (SDL), OWASP Software Assurance Maturity Model (SAMM), or Building Security in Maturity Model (BSIMM)
- Experience with assessing secure adoption of third-party components such as open source or commercial software
- .NET/Java Experience a plus
- Understanding of information security frameworks such as ISO27001, NIST, CSA and operating in a environment regulated against FFIEC, SEC and/or HIPAA requirements
- Solid understanding f authentication and authorization systems
- Solid understanding of cryptographic standards(e.g., encryption, hashing, key management, digital signatures, etc.)
- Ability to provide vulnerability remediation guidance and mentoring to product development software engineers
- Ability to translate security risks to business impact
- Experience running or managing vulnerability assessments using automated tools (e.g., Nessus, Qualys, etc) as well as managing penetration testing engagements.
- Understanding of privacy regulations as it relates to the handling and protection of information.
- Experience with fraud detection and analysis as it relates to custom developed applications
- Experience integrating automated testing tools into a CI/CD pipeline
- Experience in implementing Cloud security controls following owing Cloud Security Alliance (CSA) or Cloud Service Provider (CSP) best practices (Azure, AWS, etc.)
- Experience implementing and supporting security automation tools (e.g., K8 and CSP platform configuration, hardening, and monitoring).
Vacancy expired!