Application Security Engineer II

Role Purpose: The Application Security Engineer will be a hands-on role responsible for delivering security engineering services to Jumio’s engineering teams and building secure systems and cloud infrastructure with our engineering teams and for executing initiatives on improving our security program. 

Role Value:This role plays a vital part in our global Infosec function. It enables our business and customers to have more confidence in our systems, our processes and our ability to manage the cyber threats we face by ensuring that we work in a secure cloud infrastructure.  

Example Responsibilities

• Collaborate with Engineering and Infrastructure teams to identify and fill any security gaps in our SDLC, cloud infrastructure and associated processes
• Integrate security into the Software/Infrastructure processes from initial threat modelling to decommissioning 
• Perform manual penetration testing of Web/mobile applications and APIs
• Audit source code and perform code review for critical application changes
• Help teams in understanding security vulnerabilities and associated risk, providing guidance in prioritizing and remediation efforts
• Identify critical security risks and drive mitigation with engineering teams
• Manage cross-functional internal and external team collaboration and communications
• Deploy security services and tools through IaC, and actively promote the culture of security as code
• Periodic security assessments and configuration review of cloud environments
• Build custom security solutions tooling and automation and lead security initiatives
• Build, promote and scale DevSecOps across the company and enable integration of tools and practices as the teams transition to DevSecOps. 

Experience and Qualifications

• 4+ years of experience in a security engineering role, either specialized in application security or cloud security or both with a working knowledge of the non-specialized domain
• Strong familiarity with Linux operating systems and cloud ecosystems like Amazon AWS, GCP, including networking concepts and security services and patterns
• Understanding of core AWS Cloud Services (e.g. EC2, ECS, Lambda, RDS, etc.) architecture (e.g. Well-Architectured Framework) and micro services
• Experience in implementing secure IaC solutions
• Experience in container-based architecture and deployments (Docker, Kubernetes)
• Hands on experience in pen testing Web application and API
• Deep understanding of OWASP Top 10 and CWE 25 
• Experience in using SAST, DAST, IAST, SCA tools
• Experience in Threat Modeling

• Ability to communicate well, present security threats and risks to engineering teams 
• Self-motivated; ability to work independently on new initiatives.

Great to have Experience and Qualifications 

• Experience in pentesting mobile applications
• Experience in implementing secure infrastructure as code
• Experience with scripting languages such as Python 
• Knowledge on CI/CD automation tools (AWS DevOps, Github Actions, Jenkins)
• Relevant security certifications such as CREST, OSCP, OSWE, CEPT, CMWAPT, GPEN, PentTest+, AWS Cloud Practitioner, AWS Security Speciality or any AWS Associate level certification
• Bachelor's degree or experience with Master's degree in Computer Science

Key Characteristics and Attitudes 

• Passion for product security as a subject 
• Ability to learn and adapt to changing technology landscape 
• Desire to enable change and continuous growth