Application Security Engineer III

RESPONSIBILITIES:  

• Establish security best processes and practices for our mobile, on-premises and cloud-based platforms.
• Provide expert knowledge and guidance to the product teams about security vulnerabilities and remediation controls.
• Support and consult with product and development teams in the area of application security, including threat modeling and Application Security reviews.
• Implement, continuously develop, and maintain secure Software Security Development Lifecycle processes and software maturity model.
• Perform threat modeling, secure design, and source code review.
• Conduct security assessments, security testing and validation of vulnerability scan results.
• Assist teams in reproducing, triaging, and addressing application security vulnerabilities.
• Incorporate security tools/tasks to automate product development and deployment.
• Develop, implement, and automate defensive controls, creating and tuning tools and rules to detect and address malicious activity. Responsible for integration of security controls into SDLC. 
• Establish supply chain security process and ensure 3rd party software meet the standards.
• Facilitate injection, integration, and compliance for Static Application Security Testing (SAST), Container Security Scanning & Open-Source Security Analysis during development phase. 
• Facilitate injection, integration, and compliance for Dynamic Application Security Testing (DAST)
• Contribute to triaging, addressing security issues and tracking remediation.
• Own and manage Secure SDLC tooling.
• Develop and customize security tools used by security teams and developers.
• Work closely with development teams to build security directly into their SDLCs.
• Provide remediation guidance to programmers and management.
• Support bug bounty program
• Support the preparation of security releases
• Mentor and train development teams on secure coding standards and techniques. Develop Secure Coding Program.
• Constantly innovate at the pace of the adversary using latest techniques. 

EDUCATIONAL REQUIREMENTS:  

• Bachelor’s degree in computer science, Information Systems, or equivalent combination of education and experience  
• Certifications in the field of Information Security (at least one of the following: CISSP, CEH, GIAC CPEN, OSCP, OSWE, CWAPT, GWAPT, GWEB)

EXPERIENCE REQUIRED:

• A minimum of  3 to 5  years of experience.

GENERAL KNOWLEDGE, SKILLS & ABILITIES:  

• In-depth knowledge of web and mobile security vulnerabilities, attack vectors and mitigation techniques
• Experience with multiple programming languages (Java, JavaScript, Go, Python, Ruby, Objective-C, C#, PHP) with hands on level coding experience with at least one scripting and one objected oriented programming language.
• Fluent with security testing with SAST, SCA, DAST, IAST, Fuzz and penetration testing tools
• Understanding of application security standards such as OWASP ASVS/Top 10 and CWE 25
• Ability to discover and patch SQLi, XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond).
• Knowledge of common authentication technologies including OAuth, SAML, CAs, OTP/TOTP.
• Knowledge of DevSecOps to maintain security in CI/CD pipeline.
• Solid experience with security tools like Semgrep, CheckMarx, VeraCode, BurpSuite, Snyk, Nessus
• Familiar with tools like Git, Jenkins, CircleCI, Maven, Ant, Gradle, Nexus, SonarQube, Artifactory, Chef, Splunk
• Experience writing custom rules for static analysis tools.
• Experience with API Security, IaC, Containerization, RASP, IAST
• Experience with micro services, container deployment and service orchestration
• Strong knowledge of cryptography, API security, and secret management
• Ability to clearly and effectively communicate concerns and issues to the management and engineers.
• Experience with Cloud (AWS, Azure, GCP) Security
• Experience writing tools to automate tasks and integrate systems using scripting languages like Go, Python and REST APIs. 
• Experience in delivering and educating development groups in Secure Coding
• Expertise with common vulnerabilities and attack vectors.
• Experience integrating security tools into developer pipelines.
• DevOps experience managing deployment and configuration.

General skills include:

• Strong critical thinking and analytical skills
• Ability to approach problem solving in a constructive and collaborative way that does not require absolute security. 
• The ability to communicate complicated technical issues and risks to programmers, network engineers and managers.
• Strong leadership, project, and team-building skills
• Exceptional communication skills with diverse audiences; the ability to be an application security subject matter expert who can explain relevant topics to general audiences.