Applications Security Engineer

The job overview for this role is that the Lead Application Security Engineer will be responsible for integrating security seamlessly into the software development lifecycle. They will serve as a technical subject matter expert, collaborating with teams and vendors to determine security requirements and supporting all phases of integration, operations, and maintenance. The engineer will provide expertise on secure coding practices and security design, evaluate application security tools, perform application testing, and develop security controls and processes. They will also be responsible for driving security expertise within the development teams and staying updated on security innovation and best practices.

• Drive integrating security seamlessly into the Software development lifecycle
• Serve as a technical subject matter expert working with Technical teams
• Collaborate with teams and vendors to determine security requirements
• Support all phases of integration, operations, and maintenance to ensure a secure software environment
• Work independently or in a team environment
• Provide subject matter expertise on secure coding practices and security design
• Support definition of Secure SDLC standard
• Evaluate various application security tools and operationalize security tools for integration with CI/CD
• Explain and interpret vulnerability report items to development staff
• Perform application testing and review security test results
• Identify possible vulnerabilities and propose remediation solutions or mitigation controls
• Develop security controls and processes for products and services
• Perform threat modeling and conduct security architecture reviews
• Provide training to architects and developers to enhance the adoption of secure coding practice
• Provide security-related coaching and expertise to drive and elevate security expertise within the development teams
• Lead security innovation and best practices in product development
• Be "on-call" for emergencies requiring immediate resolution
• Have minimum 4-6 yrs of experience building production web applications and services
• Experience performing Red Team operations in enterprise environments

• Minimum 4-6 yrs of experience building production web applications and services in at least two of the following languages: Node JS, Java, React-Native, Android / Flutter
• Experience performing Red Team operations in enterprise environments

• Integration of security seamlessly into the Software development lifecycle
• Collaboration with teams and vendors to determine security requirements
• Support for all phases of integration, operations, and maintenance to ensure a secure software environment
• Ability to work independently or in a team environment
• Subject matter expertise on secure coding practices and security design
• Support for definition of Secure SDLC standard
• Evaluation of various application security tools and operationalization of security tools for integration with CI/CD
• Explanation and interpretation of vulnerability report items to development staff
• Application testing and review of security test results
• Development of security controls and processes for products and services
• Threat modeling and security architecture reviews
• Training to enhance the adoption of secure coding practice
• Security-related coaching and expertise
• Collaboration and learning from industry professionals and consortiums
• "On-call" availability for emergencies requiring immediate resolution
• Minimum 4-6 years of experience building production web applications and services
• Experience in Red Team operations in enterprise environments
• Knowledge of adversarial TTPs
• Experience with compromise and lateral movement in Mac, Linux, and Windows environments
• Open-source intelligence gathering and social engineering
• Web and mobile application assessments
• Wireless and network assessments
• Experience with custom payloads and exploit use in a production environment
• Desired skills and credentials in secure architecture and design patterns, CI/CD and Appsec Tools, reverse engineering and fuzzing, exploit development, security/forensics tools, OS & Testing Distros, and frameworks/guidelines
• Information security certifications