Major duties will focus on providing secure development services such asdesign reviews, code reviews, andsecurity testing during product development, as well as providing training and consultation to product teams to improve theirinternal capabilities in these areas. This engineer will also drive adoption ofsecurity tools and services from external vendors, evaluating and selecting vendors, assisting integration of these services into engineering workflows, and providing expertise to interpret and remediatesecurityissues identified by these tools and services.
- Perform design consultation, architecture review, threat modeling, code review, and testing. •Assist in the development of test cases, scripts, procedures, and tooling for QA security testing. •Perform application vulnerability assessments •Analyze output from security tooling and provide guidance to drive remediation •Assess SDLC processes and provide guidance on increasing security review coverage •Identify toolsets and vendors, drive adoption and implementation •Consult with development and QA staff to remove false positives and prioritize remediation based on security scanning tools’ output
Number of Years of Work Experience: 5 years’ experience in application security + 3-5 years software development experience (development or QA)
- Understanding and familiarity with common code review methods and standards •Knowledge of secure coding patterns and pitfalls in multiple languages (Java, .NET, C++, Python…;) •Knowledge of secure configuration patterns for middleware and OS platforms (Tomcat, JBoss, Weblogic; common relational and NoSQL dbs; Windows, Linux, iOS, Android, Azure and AWS Cloud infrastructure) •Demonstrated experience providing security review of web applications, mobile applications, thick clients, web APIs (REST, SOAP), AuthZ/AuthN protocols and technologies, and cryptography •Experience with static analysis and dynamic analysis tools •Experience with offensive security tools and methodologies •Penetration testing experience, especially at the application level •Familiarity with development and test toolsets (source code control, build systems, test automation, ticketing systems) •Knowledge of OWASP tools and methodologies (Top 10 2013,2017) •Knowledge of standard SDLC practices and security touchpoints in Agile, DevOps, waterfall processes •Experience with application security requirements of HIPAA, PCI and ISO 27000
- Solid understandings of security on networks, hardening, patch management, pen testing, vulnerability testing, Windows systems, open systems, applications, and web and public facing systems. Azure / AWS Cloud architecture related to application security a must. •Knowledge of analytic and monitoring tools (ElasticSearch, LogStash, and Kibana (ELK) and/or Splunk, Sumologic) •Ability to code python •Expertise with Vericode, Rapid7 Nexpose, Whitehat or other vulnerability scanners •Ability to reverse engineer undocumented applications or architectures •Linux, Windows system administration •Ability to multi-task under agiledeadlines. •Proficient English language written and oral communication skills
- Bachelor’s Degree in Computer Engineering, Computer Science, or Information Systems Management. Will consider work experience in lieu of or supplementing formal education. •CISSP, CSSLP, CEH or equivalent security certifications