Sr. Application Security Engineer

Fanatics is searching for an experienced application security specialist to help protect Fanatics-developed applications which are used externally and internally. A successful candidate will display strong communication and technical skills and be comfortable and effective working independently and as part of a larger, highly distributed team.
We're looking specifically for folks who place an emphasis on usable security and scaling successfully through automation. Fanatics is a fast-growing company, and our security program needs to be able to keep pace with that growth while not disrupting innovation.
Responsible for continually improving product security by partnering with developers in all phases of software development life cycle. Work with teams to ensure security standards are maintained on the design and implementation of applications and systems in cloud and on-premises environments.

EXPERIENCE REQUIRED:
·         A minimum of 7+ years of experience.

RESPONSIBILITIES:
 

• Establish security best processes and practices for our mobile, on-premises and cloud-based platforms.
• Provide expert knowledge and guidance to the product teams about security vulnerabilities and remediation controls.
• Support and consult with product and development teams in the area of application security, including threat modeling and Application Security reviews.
• Implement, continuously develop, and maintain secure Software Security Development Lifecycle processes and software maturity model.
• Perform threat modeling, secure design, and source code review.
• Conduct security assessments, security testing and validation of vulnerability scan results.
• Assist teams in reproducing, triaging, and addressing application security vulnerabilities.
• Incorporate security tools/tasks to automate product development and deployment.
• Develop, implement, and automate defensive controls, creating and tuning tools and rules to detect and address malicious activity. Responsible for integration of security controls into SDLC.
• Establish supply chain security process and ensure 3rd party software meet the standards.
• Facilitate injection, integration, and compliance for Static Application Security Testing (SAST), Container Security Scanning & Open-Source Security Analysis during development phase.
• Facilitate injection, integration, and compliance for Dynamic Application Security Testing (DAST)
• Contribute to triaging, addressing security issues and tracking remediation.
• Own and manage Secure SDLC tooling.
• Develop and customize security tools used by security teams and developers.
• Work closely with development teams to build security directly into their SDLCs.
• Provide remediation guidance to programmers and management.
• Support bug bounty program
• Support the preparation of security releases
• Mentor and train development teams on secure coding standards and techniques. Develop Secure Coding Program.
•  Constantly innovate at the pace of the adversary using latest techniques.

GENERAL KNOWLEDGE, SKILLS & ABILITIES:   

• In-depth knowledge of web and mobile security vulnerabilities, attack vectors and mitigation techniques 
• Experience with multiple programming languages (Java, JavaScript, Go, Python, Ruby, Objective-C, C#, PHP) with hands on level coding experience with at least one scripting and one objected oriented programming language. 
• Fluent with security testing with SAST, SCA, DAST, IAST, Fuzz and penetration testing tools 
• Understanding of application security standards such as OWASP ASVS/Top 10 and CWE 25 
• Ability to discover and patch SQLi, XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond). 
• Knowledge of common authentication technologies including OAuth, SAML, CAs, OTP/TOTP. 
• Knowledge of DevSecOps to maintain security in CI/CD pipeline. 
• Solid experience with security tools like Semgrep, CheckMarx, VeraCode, BurpSuite, Snyk, Nessus 
• Familiar with tools like Git, Jenkins, CircleCI, Maven, Ant, Gradle, Nexus, SonarQube, Artifactory, Chef, Splunk 
• Experience writing custom rules for static analysis tools. 
• Experience with API Security, IaC, Containerization, RASP, IAST 
• Experience with micro services, container deployment and service orchestration 
• Strong knowledge of cryptography, API security, and secret management 
• Ability to clearly and effectively communicate concerns and issues to the management and engineers. 
• Experience with Cloud (AWS, Azure, GCP) Security 
• Experience writing tools to automate tasks and integrate systems using scripting languages like Go, Python and REST APIs.  
• Experience in delivering and educating development groups in Secure Coding 
• Expertise with common vulnerabilities and attack vectors. 
• Experience integrating security tools into developer pipelines. 
• DevOps experience managing deployment and configuration. 

GENERAL SKILLS INCLUDE: 

• Strong critical thinking and analytical skills 
• Ability to approach problem solving in a constructive and collaborative way that does not require absolute security.  
• The ability to communicate complicated technical issues and risks to programmers, network engineers and managers. 
• Strong leadership, project, and team-building skills 
• Exceptional communication skills with diverse audiences; the ability to be an application security subject matter expert who can explain relevant topics to general audiences. 

EDUCATIONAL REQUIREMENTS:
·         Bachelor’s degree in computer science, Information Systems, or equivalent combination of education and experience
·         Certifications in the field of Information Security (at least one of the following: CISSP, CEH, GIAC, CWAPT, GWAPT, GWEB)