Senior Application Security Engineer

About The Position

Requirements

• Bachelor's Degree in Computer Science, Information Technology or a related field preferred.
• Five or more years previous related experience or an equivalent combination of education, training, and experience.
• Solid grasp of standard web application development technologies such as: Java, Python, JavaScript, Maven, HTML5, frontend tools (NPM, Grunt, Gulp, etc.), current frameworks (Angular, Backbone, Ember, ReactJS, Kotlin, Spring etc.).
• Familiarity with automated analysis / security testing technologies such as: Static Application Security (SAST), Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST) and Runtime Application Self-Protection (RASP).
• Thorough understanding of web application security and vulnerability / attack patterns such as those enumerated in the OWASP Top 10.
• Thorough understanding of the software development lifecycle and the ways in which security disciplines are incorporated into it and throughout its stages.
• Proficiency with web application penetration testing tools such as Burp Suite or OWASP ZAP.
• Familiarity with software security maturity models such as OSAMM or BSIMM.
• Familiarity with threat modeling and security risk analysis tools and processes.
• Familiarity with secure software design and coding practices.
• Thorough knowledge of security testing practices and supporting methodologies such as OWASP ASVS (Application Security Verification Standard).
• Ability to mentor less-experienced development staff and clearly communicate the goals of software security, the risks of insufficient security controls to the organization, the nature of common vulnerabilities, and the best practices for mitigating them.
• Ability to advocate for security, identity, and compliance imperatives in council discussions with senior domain engineers and application architects.
• Ability to assess security risks within the context of real-world software solutions and develop common-sense, pragmatic mitigation strategies in collaboration with project teams and business stakeholders

Nice To Haves

• Experience in DevOps and containerized cloud environments a plus, including Docker, Google Cloud Platform (GCP) and Kubernetes.

Responsibilities

• Establish strategic direction for software security standards, practices, tools, and lifecycle processes at Gordon Food Service.
• Oversee design-time threat modeling and risk assessment activities for deployed software solutions; mentor project teams in the practice of threat modeling.
• Conduct initial high-level risk assessments of SaaS (cloud) and COTS (commercial package) software solutions.
• Maintain secure coding standards and best practices for custom software development at Gordon Food Service.
• Work closely with Application Services teams and with the Gordon Food Service quality architect and QA/QC team to ensure that security controls are in place for Gordon Food Service custom software and it is security tested.
• Provide secure software development mentoring and guidance to Gordon Food Service software engineers.
• Perform internal penetration testing against new or modified software solutions.
• Coordinate external security assessments (e.g., “grey-box” web application penetration tests).
• Serve as the Enterprise Information Security (EIS) team resource to represent EIS concerns on the Gordon Food Service Application Engineering Council (AEC) and Application Architecture Council (AAC).
• Research and keep abreast of the dynamic threat landscape associated with software security, adapting Gordon Food Service protection strategies to proactively cope with emerging threats.
• Other duties and responsibilities as assigned.