About the position
The job overview for this position is that DKatalis is seeking a Lead Application Security Engineer who will be responsible for integrating security seamlessly into the software development lifecycle. They will collaborate with teams and vendors to determine security requirements and support all phases of integration, operations, and maintenance to ensure a secure software environment. The ideal candidate will have expertise in secure coding practices, security design, and application testing, and will be able to work independently or in a team environment. This position also requires staying "on-call" for emergencies requiring immediate resolution.
Responsibilities
- Drive integrating security seamlessly into the Software development lifecycle
- Serve as a technical subject matter expert working with Technical teams
- Collaborate with teams and vendors to determine security requirements
- Support all phases of integration, operations, and maintenance to ensure a secure software environment
- Work independently or in a team environment
- Provide subject matter expertise on secure coding practices and security design
- Support definition of Secure SDLC standard
- Evaluate various application security tools and operationalize security tools for integration with CI/CD
- Explain and interpret vulnerability report items to development staff
- Perform application testing and review security test results
- Identify possible vulnerabilities and propose remediation solutions or mitigation controls
- Develop security controls and processes for products and services
- Perform threat modeling and conduct security architecture reviews
- Provide training to architects and developers to enhance the adoption of secure coding practice
- Provide security-related coaching and expertise to drive and elevate security expertise within the development teams
- Lead security innovation and best practices in product development
- Be "on-call" for emergencies requiring immediate resolution
- Minimum 5 years of experience building production web applications.
Requirements
- Minimum 5 years of experience building production web applications
- Subject matter expertise on secure coding practices and security design
- Knowledge of security threats and vulnerabilities
- Familiarity with secure SDLC standards and shift-left approach for security
- Experience with application security tools such as SAST, DAST, SCA, IAST, and Pen Testing
- Ability to interpret vulnerability reports and propose remediation solutions
- Experience developing security controls and processes for cloud environments, preferably GCP
- Knowledge of threat modeling and security architecture reviews
- Ability to provide security-related coaching and expertise to development teams
- Familiarity with security innovation and best practices in product development
- Willingness to be on-call for emergencies requiring immediate resolution.
Benefits
- Subject matter expertise on secure coding practices and security design
- Support in defining Secure SDLC standard
- Evaluation and operationalization of application security tools
- Application testing and review of security test results
- Development of security controls and processes for cloud environments
- Threat modeling and security architecture reviews
- Security-related coaching and expertise for development teams
- Leadership in security innovation and best practices
- On-call availability for emergencies requiring immediate resolution
- Minimum 5 years of experience in building production web applications and services
- Experience in Red Team operations and software coding/development
- Knowledge of adversarial TTPs and compromise and lateral movement in different environments
- Open-source intelligence gathering and social engineering skills
- Web and mobile application assessments
- Wireless and network assessments
- Experience with custom payloads and exploit use in a production environment
- Desired skills and credentials in CVE/Bug bounty/responsible disclosures, secure architecture and design patterns, CI/CD and Appsec Tools, reverse engineering and fuzzing, exploit development, security/forensics tools, OS and testing distros, and frameworks/guidelines
- Information security certifications such as GPEN, OSCP, OSCE, OSWE