Identify applicable industry best practices and consult with Development teams on methods to continuously improve the risk posture. Develop and enhance practices to align application development with security frameworks to satisfy business and regulatory requirements to comply with SOC, ISO 27001, ISO 27018, HiTrust, and HIPAA.
Implement secure Software Development Lifecycle (SDLC), design security policy, standards and controls including oversight of remediation activities. Conduct vulnerability reviews against Internet Information Services, Apache and application program interfaces (API).
Orchestrate and execute application security risk assessments independently with little or no guidance. Assess applications, design threat models, document potential risk vectors, check for code vulnerabilities, recommend proportional controls and ensure risks are resolved expeditiously.
Ensure AWS, SaaS and our cloud native application security configurations and exchanges are free of Common Vulnerabilities and Exposures (CVE). Deploy applications for static and dynamic code testing. Research trends to meet future information security requirements.
Create and maintain integrated security dashboards pulling multiple security systems into a unified global view.
Investigate application security vulnerabilities, third party libraries, and validate high and critical penetration test findings. Train other members of the application security engineers, developers or platform engineers regarding security best practices both in coding and tools.
Assist in Security Incident Response and Cyber Forensics during and post an incident and assist in reverse engineering the attack and designing security controls.
Troubleshoot complex implementations of SAST, DAST and SCA solutions with product teams and vendor support teams, professional services, and customers in order to provide satisfactory resolution. Technically document in detail, lessons learned, viable solutions to problems, workarounds, feature requests, defects, and other knowledge so that it may be shared with appropriate teams.
BSc in Computer Science or related field, or equivalent work experience
2+ years of work-related experience as Application Security Engineer, Application Security Developer or Sr. Application Security Analyst, scoping and recommending static and dynamic application security tools, collaborating with Application Development teams on projects, scanning code for vulnerabilities and CVEs, reducing threat vectors in AWS, API and in on premise application environments
Knowledge and understanding in various disciplines such as security engineering, system and network security, authentication and security protocols, cryptography, and application security
Experience with one or more interpreted or compiled languages: Python, Ruby, Perl, PHP, C/C++, Java, C#
Programming and Software development experience with one or more: Python, JAVA, Java Script, PowerShell, Bash scripting
Experience with cloud service providers and their offerings, preferably AWS and its various technologies and APIs
Knowledge of core security concepts such as web application firewalls, IDS/IPS, network security (Layer 2, 4 & 7), application vulnerability management
Familiar with Jenkins, Bamboo, CI/CD Pipeline, and other automation tools
SDLC, ITIL, Agile development methods and testing
Experience with Redhat, AWS Linux, AWS Linux 2, Windows Server 2012, 2016 and 2019 etc
Understanding of OWASP Top 10, SANS Top 20, NIST 800-53, CIS, CSC, or other security standards
Well versed in web application design, penetration testing, application risk assessment and risk categorization
Experience with VMWare, Docker, Kubernetes, and other virtualization technologies.
Nice to Have:
Knowledge of the MITRE ATT&CK Framework
Industry security certifications such as CISSP, CEH or others
Experience in Web and Mobile (Android/iOS) based application/service assessment
Experience in reverse engineering and associated tooling such as IDA
Knowledge of fuzzing, memory corruption and exploit development