Sr. Application Security Engineer

Position Overview

In support of business objectives, we are actively looking for an ambitious person, who is not afraid of hard-work and embraces ambiguity as it comes to join our Information Security Team as a Sr. Application Security Engineering (Dev).

What we do

The InfoSec team drives security, privacy, and compliance improvements to reduce risk by building out key security programs. We enable our colleagues to keep the company secure and support our customers’ security journey with tried and true best practices. We are a Java, Python, and React shop combined with world class cloud infrastructure such as AWS & Snowflake. Balancing proper security while enabling execution speed for our colleagues is our ultimate goal. It’s challenging and rewarding!

If you are up for the challenge, come join us.

The Opportunity

First and foremost, you are a developer at heart with a passion for security! You will be instrumental in curing security defects in code, burning down any new and existing vulnerabilities. You can fix the code yourself and continuous patching is your north star. You will be the champion for safeguards and standards that will keep our code secure and reduce the introduction of new vulnerabilities.

Partner and collaborate with internal stakeholders in assisting with the overall security posture with an emphasis on the Engineering and Operations/IT areas. Work across engineering, product and business systems teams to enhance and evangelize security in applications (& infrastructure). 

Research emerging technologies and maintain awareness of current security risks in support of security enhancement and development efforts. Develop and maintain application scanning solutions to inform stakeholders of security weaknesses & vulnerabilities. Review outstanding vulnerabilities with product teams and assist in remediation efforts to reduce risk.

Help in developing the capability to automate triaging, validating, reporting and reproducing application vulnerabilities, then capture and document your excellent work.

Qualifications

• Bachelor's degree in computer science or another STEM discipline and 8 to 10+ years of professional experience in security software development. Majority of prior experience as a Security Engineer focused on remediation of security vulnerabilities and defects in Java and Python.
• Must have prior in-depth demonstrable experience developing in JAVA and Python; Basically you are developer first and a security engineer second. Applicants that do not have this experience will not be considered.
• Experience developing in, and securing, Javascript and React a plus.
• Experience securing integrations and code that utilizes Elasticsearch, Snowflake, Databricks, RDS a big plus.
• Detail-oriented with problem solving, communication, and analytical skills.
• Expert understanding of CVE and CVSS scoring and how to utilize this data for validation, prioritization, and remediation.
• Excellent understanding and utilization of OWASP
• Demonstrated ability to secure API; Techniques, patterns, will be assessed.
• Experience designing and implementing application security solutions for web and or mobile applications
• Experience developing and reporting vulnerability metrics as well as articulating how to reproduce and resolve those security defects.
• Experienced in application penetration testing;  and understanding of remediation techniques for common misconfigurations and vulnerabilities
• Demonstrable experience in understanding patching and library upgrade paths including interdependencies
• Familiarity with CI/CD tools. Previous admin experience in CI/CD is not required but a big plus.
• Capability to deploy, provide maintenance for, and operationalize scanning solutions.
• Hands-on ability to conduct scans across application repositories and infrastructure.
• Must be willing to work extended hours and weekends as needed
• Great at and enjoys documenting solutions; creating repeatable instruction for others, operational documentation, developing technical diagrams, and similar artifacts.

Preferred Qualifications

• You can demonstrate and document threat modeling scenarios using well-known frameworks such as STRIDE
• Proficient with penetration testing tools such Burp suite, Metasploit or ZAP
• You are already proficient with SAST & SCA tools; proficiency with DAST and/or OAST tool usage and techniques would be even better.
• As a mentor you also have the experience and desire in providing fellow engineering teams with technical guidance on the impact and priority of security issues and driving remediation
• Capability to develop operational process from scratch or improve current processes and procedures through well thought out hand-offs, integrations, and automation
• Familiarity with multiple security domains such as application security, infrastructure security, network security, incident response, and regulatory compliance and certifications
• Understanding of modern endpoint security technologies/concepts
• Adept at working with distributed team members