The Cyber Security– Application Security Engineer will play a critical role in code security and secure software development life cycle. It will encompass a broad range of information security controls to ensure the confidentiality, integrity, and availability of enterprise data stored on a variety of vendor database solutions. The job is composed of tactical, operational and strategic functions and responsibilities.
- Conduct static and dynamic analysis on a variety of code bases and platforms.
- Through standard enterprise tools, discover security vulnerabilities in web and mobile applications and provide recommended remediation steps to developers.
- Recommend industry best practices for vulnerability and threat management remediation.
- Document findings for management and technical staff and recommend mitigating actions.
- Work with internal customers to determine their need for security assessments, present and explain the employed methodology, and support them with feedback and verification during mitigation.
- Develop training on secure coding techniques and security awareness for technical staff (e.g., software developers).
- Bachelor’s Degree in Information Technology, Cyber Security, Computer Security, Computer Science or related field required.
- 6 years of development experience in web or mobile or
- 4 years of application security engineering experience
- Ability to maintain composure in a dynamic environment
- Individual must be proactive, self-motivated, detail-oriented, creative, inquisitive and persistent
- Strong leadership skills, including ability to execute and prioritize a number of tasks simultaneously
- Ability to organize, plan and implement work assignments, prioritize competing demands and work under pressure of frequent and tight deadlines
- Experience in conducting and facilitating discussions with employees across all levels & departments
- Excellent up-to-date technical and hands-on knowledge and experience in current attack methods, penetration testing methods, and hacking tools, specifically for web and mobile applications required.
- Tools: Fortify Suite, NMap, Nessus, Burp suite, Metasploit, AppScan Standard, AppScan Source, McAfee Vulnerability Manager, Core Impact
- Common vulnerabilities and how to find and verify them: authentication (e.g., secure transmission, weak login mechanisms, backend authentication, weak SSL configuration), authorization (e.g., session handling, replay, fixation), client-side attacks (e.g., XSS, CSRF), information disclosure (e.g., error handling, debug information), code injection (e.g., SQL, OS commands, buffer overflow, format strings), logic attacks (e.g., lockout, flooding, insufficient anti-automation, spoofing), review of secure configuration of OS and network devices
- Knowledge of the J2EE technology stack a must but proficiency in .Net stack a plus