Overview:

• We are a leading AI-driven Global Supply Chain Solutions Software Product Company and one of Glassdoor’s “Best Places To Work”.
• Application Security Engineer mission is to create an end-to-end to end security architecture based on Secure By Design principles and responsible for performing and determining the technology that is implemented within the application security team.
• Provide strategic direction and subject matter expertise for wide adoption of DevSecOps automation tools, Cryptography and manual source code reviews across open source.

.

Scope:

• The role of the Application Security Senior Engineer is to work closely with information technology and development staff to help implement secure systems, tools, and processes.
• As an engineer, you will be responsible for performing and determining the technology that is implemented within the application security team.
• Being an expert and mentor on all technologies used by the security staff, researching new security trends and improvements, getting new staff members up to speed on internal projects and new development, and providing direction and management of assigned projects.
• Additionally, engineers will look for opportunities to collaborate and educate other departments that are impacted by application security projects and processes.

What you’ll do:

• Implement Secure SDLC  (Analyze and design Secure architecture, Design Application based on that, prepare secure coding guidelines across projects, and also reviewed support project architecture and code on security aspects)
• Provide strategic direction and subject matter expertise for wide adoption of DevSecOps automation tools, Cryptography and manual source code reviews on Java, JavaScript, Rest API using tools like Checkmarx, CodeQL, Fortity, Veracode, Snyk, Blackduck, Acunetic, AppScan etc.
• Understand how to identify, exploit, and remediate the OWASP Top 10, SANS 25 software flaws, and other vulnerabilities through use of tools and code review and propose solutions for advanced development situations.
• Ability to write tool specific custom queries to improve the scan results and eliminate false positives.
• Work with development teams to ensure false positives are verified and documented.
• Knowledge on Threat modelling methodology and tools like Microsoft threat modeler
• Experience in DevSecOps and CI/CD tools such as Github, GitLab, Jenkins, Nexus, Artifactory including how to secure them
• Good knowledge on cloud (Azure, AWS, GCP) and basic knowledge on cloud security posture management (CSPM)
• Good knowledge on FOSS/SCA, Software Supply Chain security analysis & basic knowledge on container security
• Knowledge on container scanning tools like Checkov, Trivy, etc
• Experience with Linux Containers (Docker), Kubernetes, and deployment of containerized applications/microservices architectures.
• Working with Teams to secure their Services (i.e., API security)
• Train new department staff and developers in application security concepts
• Identify gaps in application architecture, internal processes, and training to help guide the improvement of the department.
• Maintain a professional working relationship with other departments through clear communication and project level collaborations.
• Threat modeling

What we are looking for:

• 10+ years of secure development, penetration testing, and/or architecture experience
• Expert knowledge of SDLC
• Experience with current web application technology and concepts including containerization, development operations, and mobile technologies.
• Familiar with dynamic and static testing tools and techniques
• Familiar with secure coding principles and application architecture
• Comfortable with scripting and automation.
• Ability to work as part of a larger team to find solutions.
• Excellent communication skills
• CSSLP, CISSP, GWAPT, OSCP, or similar certifications preferred.