Applications Security Engineer
DKatalis
·
Posted:
November 3, 2021
·
Remote
About the position
The Lead Application Security Engineer will be responsible for integrating security into the software development lifecycle. They will work with technical teams and vendors to determine security requirements and support all phases of integration, operations, and maintenance to ensure a secure software environment. The engineer will provide subject matter expertise on secure coding practices and security design, evaluate various application security tools, perform application testing, and review security test results. They will also develop security controls and processes for products and services developed and deployed for both cloud environments. The ideal candidate should have a minimum of 4-6 years of experience building production web applications and services and experience performing Red Team operations in enterprise environments. Desired skills include knowledge of secure architecture and design patterns, CI/CD and Appsec tools, and information security certifications.
Responsibilities
- Drive integrating security seamlessly into the Software development lifecycle
- Serve as a technical subject matter expert working with Technical teams
- Collaborate with teams and vendors to determine security requirements and support all phases of integration, operations, and maintenance to ensure a secure software environment
- Provide subject matter expertise on secure coding practices and security design based on current knowledge of security threats and vulnerabilities that could impact the technology stack
- Support definition of Secure SDLC standard to include security architecture, design, and coding requirements for infrastructure, application, and data to align with application security maturity model and adopt a shift-left approach for security
- Evaluate various application security tools, including SAST, DAST, SCA, IAST, and Pen Testing, and operationalize security tools for integration with CI/CD
- Explain and interpret the vulnerability report items to development staff
- Perform application testing and review security test results from scans and penetration testing to identify possible vulnerabilities that may be exploited and propose remediation solutions or mitigation controls
- Develop security controls and processes for products and services developed and deployed for both cloud environments, preferably GCP
- Perform threat modeling, conduct security architecture reviews, and provide training to architects and developers to enhance the adoption of secure coding practice within the product development lifecycle
- Provide security-related coaching and expertise to drive and elevate security expertise within the development teams
- Lead security innovation and best practices in product development through collaboration and learning from industry professionals and consortiums
- Be "on-call" for emergencies requiring immediate resolution.
Requirements
- Provide subject matter expertise on secure coding practices and security design based on current knowledge of security threats and vulnerabilities that could impact the technology stack
- Support definition of Secure SDLC standard to include security architecture, design, and coding requirements for infrastructure, application, and data to align with application security maturity model and adopt a shift-left approach for security.
- Evaluate various application security tools, including SAST, DAST, SCA, IAST, and Pen Testing, and operationalize security tools for integration with CI/CD.
- Explains and interprets the vulnerability report items to development staff.
- Perform application testing and review security test results from scans and penetration testing to identify possible vulnerabilities that may be exploited and propose remediation solutions or mitigation controls.
- Develop security controls and processes for products and services developed and deployed for both cloud environments, preferably GCP
- Perform threat modeling, conduct security architecture reviews, and provide training to architects and developers to enhance the adoption of secure coding practice within the product development lifecycle.
- Provide security-related coaching and expertise to drive and elevate security expertise within the development teams
- Lead security innovation and best practices in product development through collaboration and learning from industry professionals and consortiums
- Minimum 4-6 yrs of experience building production web applications and services in at least two on some of the following languages: Node JS, Java, React-Native, Android / Flutter,
- Experience performing Red Team operations in enterprise environments
- Experience in software coding/development including, scripting languages
- Building, deploying and managing Red Team operational infrastructure
- Knowledge of adversarial TTPs
- Experience with compromise and lateral movement in Mac, Linux, and Windows environments
- Open-source intelligence gathering and social engineering
- Web and mobile application assessments
- Wireless and network assessments
- Experience with custom payloads and exploit use in a production environment
- CVE/Bug Bounty/Responsible disclosures
- Knowledge of secure architecture and design patterns for Web, Mobile, and Microservices
- CI/CD and Appsec Tools: Sonar, Fortify, Checkmarx
- Reverse Engineering and Fuzzing to identify potential vulnerabilities
- Exploit development
- Security / Forensics Tools: Burp, Nmap, Nessus, NetStumbler, Cain & Abel, THC Hydra, W3af, GFI LANguard, Wireshark (Tshark), WinDump (TCPDump), Web inspect, tcpreplay, Access Data FTK, Encase, Helix, etc.
- OS & Testing Distros: RH Linux, CentOS, Fedora, Windows / XP / 7 / 10 / BackTrack, Kali Linux, PentestBox etc.
- Frameworks/Guidelines: ISO27001, NIST, ITU-T, OWASP, WASC, etc.
- Information security certifications: GPEN, OSCP, OSCE, OSWE