Application Security Engineer

Position Overview

The primary responsibility of the Application Security Engineer is to support technologies that enable the companies' cyber security goals and objectives, securing the confidentiality, integrity, and availability of software and computer information systems. The role will serve as a security engineer for software development, supporting technologies that facilitate the security of the software products and services. Additional key responsibilities of the role include; review of vulnerabilities identified by application security technologies and processes, providing true positive results to the appropriate software development teams, and coordination with those teams to support their triage and remediation efforts for identified, valid vulnerabilities. All duties are to be performed per Client's departmental policies, practices, and procedures.

Essential Duties & Responsibilities

• Act as a primary technical resource in the development of a comprehensive security program to support various Software Development Lifecycles (SDLCs) and ensure that software developed in this SDLC is free of security vulnerabilities.

• Manage application security program across multiple SDLCs.

• Ensure cybersecurity requirements are met before production release.

• Triage potential vulnerabilities identified by the application security program with the context of application and related business knowledge.

• Maintain understanding of core functionality of supported software and first-party applications.

• Review and understand code from both business logic and technical standpoints.

• Coordinate with developers to prioritize and remediate identified true positive vulnerabilities.

• Collaborate with software development and quality assurance teams to ensure code is free from security defects. • Communicate cybersecurity standards applicable to technology and coding workflows.

• Working with Application Security Engineers, optimize security with existing technologies and processes.

• Provide technical guidance to developers and engineers on cybersecurity best practices.

• Review performance of controls such as threat modeling, SCA, SAST, DAST, IAST, RASP, Secrets Scanning, Container Scanning, Misconfiguration Identification, Secure Code Review, CI/CD Pipeline Security, Deployment Environment Security.

• Coordinate with software development leadership, operations leadership, IT leadership, and cybersecurity leadership to integrate application security practices across departments.

• Actively seek ways to improve secure software development processes.

Additional Responsibilities:

• Develop and maintain security policies, standards, and guidelines.

• Conduct code analysis of first-party enterprise applications, through both manual and automation-enabled processes.

• Provide remediation guidance and recommendations to developers and administrators based on identified vulnerabilities and existing technology stack.

• Work with software development teams to prioritize and validate the urgency and mitigation of identified product vulnerabilities and security feature enhancement requests.

• Stay updated with the latest cybersecurity threats and trends and incorporate this knowledge into security architecture designs and practices.

• Conduct training and awareness programs to enhance the security posture of the organization. Participate in security audits and assist in regulatory compliance efforts.

• Work closely with IT operations and software development teams to ensure secure systems deployment and operations.

• Actively contribute to the organization's cybersecurity strategy and roadmap.

Minimum Qualifications

· Outstanding collaboration and communication skills.

•Any of the following combinations of education, professional experience, or both:

At least 2 years of experience in a relevant DevSecOps role and technical degree in computer / information science; or At least 4 years of experience in a relevant DevSecOps role; or At least 6 years of related field work experience, at least 1 year of which in a software development role, and at least 1 of which in a cyber security role and technical degree in computer / information science; or At least 8 years of relevant field experience, at least 1 year of which in a software development role, and at least 1 year of which in a cyber security role.

•Demonstrated experience working with technical and non-technical staff.

•Knowledge of application security, software development, and cyber security concepts.

•Basic knowledge of a broad range of IT, Security, Controls and Service Delivery standards and frameworks for example, International Standards Organization (ISO) 27001, IT Infrastructure Library (ITIL), Control Objectives for IT (CoBIT), and Capability Maturity Model Integration (CMMI).

•Experience with Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure or other cloud platforms, with experience in developing and implementing software.

•Experience developing software in various coding languages such as Java, C#, PHP, etc.

• Demonstrated knowledge of web applications, cyber security, and open-source technologies.

• Safety is an essential function of this job.

• Consistent and regular attendance is an essential function of this job.

•Ability to execute multiple projects and tasks under tight deadlines.

• Provide off-hours support on an infrequent but as needed basis. (Potential shifts may run 24/7 due to the needs of the business).

• Strong interpersonal skills with the ability to communicate effectively with guests and other Team Members of different backgrounds and levels of experience.

• Must be able to work varied shifts, including nights, weekends, and holidays.

Additional Experience Recommended

• Professional certification in multiple programming languages (C#, .NET, Java, etc.) recommended.

• Professional certifications in cyber security (CISSP, OSCP, etc.) recommended.

• Experience with CI/CD and pipeline tools such as Jenkins, Docker, Kubernetes, and others.

• Knowledge of cloud platforms and services, with experience in cloud security.

• Experience with automated software and security testing tools and techniques.

• Ability to stay updated with the latest industry trends and advancements in cybersecurity.

• Understanding of enterprise software development practices.

• Experience working with software development teams.

• Experience identifying cybersecurity vulnerabilities and weaknesses in software.

• Experience reading, writing, and auditing software in multiple programming languages.

• Strong familiarity with common vulnerabilities and attack vectors.

• Knowledge of common encryption technologies (AES, PGP, SSH, SSL, etc.).

• Knowledge of common authentication protocols (OpenID Connect, OAUTH, SAML, RADIUS, LDAP, KERBEROS, etc.).

• Previous work experience as an Application/Product Security Engineer or Software Developer. •Experience integrating security testing into an SDLC.

• Experience with incident response and handling methodologies.

• Experience with security technologies such as intrusion detection/prevention systems (IDS/IPS), firewalls, SIEM, etc.

Physical Requirements

Must be able to:

• Lift or carry 20 pounds, unassisted, in the performance of specific tasks, as assigned.

• Physically access all areas of the property and drive areas with or without reasonable accommodation.

• Maintain composure under pressure and consistently meet deadlines with internal and external customers and contacts.

• Ability to interact appropriately and effectively with guests, management, other team members, and outside contacts.

• Ability for prolonged periods of time to walk, stand, stretch, bend and kneel. •

Work in a fast-paced and busy environment.

• Work indoors and be exposed to various environmental factors such as, but not limited to, CRT, noise, dust, and cigarette smoke.