Sr. Application Security Engineer - Glassdoor United States Bookmark Share Print 1075 0 2

Listing Description

Position Responsibilities

The Senior Application Security Engineer will integrate security features, tools, and validation/detection processes into product development lifecycle. This role will work closely with Product and Engineering organizations to model cyber security threats, coordinate or perform proactive network and application penetration tests, develop tools and processes to automate the identification of security flaws, and identify effective mitigating controls where feasible in the application stack to build resilience into the products. The incumbent will partner with Engineering Teams to diagnose, document, and remediate application security vulnerabilities. Additional responsibilities include evaluating, recommending, and implementing application security related software in an automated continuous integration/deployment environment. Candidates with strong communication, excellent creative problem-solving skills and experience working cloud-based products will be most successful in this role!

Position Duties

• Partner with Product Development Teams to formulate and implement a strategy for software security that is tailored to the specific risks faced by the product and its targeted consumers.
• Conduct application security assessments and aggregate threat intelligence regularly to identify attack vectors against the infrastructure and products. Mitigate risk by updating the protection mechanism and developing appropriate detections via appropriate tools to facilitate effective incident response processes.
• Develop and maintain a risk-based application security program based on a well-defined application security framework.
• Develop an application security awareness and training curriculum in collaboration with Engineering Organization.
• Continuously evaluate the organization’s existing application security practices, define and measure security-related activities, and demonstrate concrete improvements to the application assurance program within the organization.
• Coordinate or conduct application penetration testing and drive remediation efforts to completion.
• Identify, develop, and integrate security testing tools, including but not limited to SAST, IAST, and SCA, into continuous integration and continuous development framework.
• Provide operational and executive-level reporting based on agreed-upon metrics that demonstrate program performance progression and material-impacting risk reduction.
• Provide recommendations on security requirements to be included in product design and security testing.
• Provide recommendations to the Risk Management Framework process activities and related documentation
• Research and design ways to achieve risk reduction objectives in creative ways, including rapidly growing our current tool stack where appropriate
• Part of the security incident response team.
• Assess risk arising from third-parties, vendors and partners in our ecosystem and design controls to mitigate such risks
• Document security processes and standards.

Required Skills

• Deep expertise in software development with elements of security is a must, and in cloud-based product environments is preferred.
• Bachelor’s degree in a relevant technical field/equivalent knowledge and experience.
• Knowledge of OWASP Top 10 and CWE Top 25 Framework.
• Experience building software solutions using common programming languages like Java, Node.js, Go, and Python.
• Familiarity with Cybersecurity Frameworks including NIST 800-53, NIST CSF, CIS Top 20, MITRE ATT&CK, and OWASP Top Ten.
• Deep knowledge of crypto, authentication and authorization protocols and standards, including SSL/TLS, SAML, OAuth, JWT Tokens.
• Possess a desire to (ethically) break into things and can communicate the attack scenarios and mitigation options based on standard framework is desired.
• Ability to collaborate and provide clear point of view to multiple teams, ensuring results are aligned with company business objectives and delivered within planned timelines.
• Outstanding written and oral communications skills with the ability to develop internal processes and articulate assessment results.
• Certified in at least one or more of the following certifications: CISSP, GWEB, GCIH, GCSA, GIAC, (GCPN).
• Strong desire to add to our culture of diversity, equity and inclusion.