Sr. Application Security Engineer - Work from home

What will this person do?

This individual is accountable for identifying weaknesses in our security posture within the application or web space while defining methods to achieve security control requirements via automation or highly efficient means that further support timely delivery and minimal overhead. They work in a team of infrastructure specialists and engineers making sure services are delivered and used securely as required. Works with and supports third parties to provide security services. The Sr. Application Security Engineer will advise and enable development and technical teams to make security decisions and provide advice and guidance, ensuring the effective use of common tools and patterns

• Best fit candidate will have a strong understanding of S-SDLC (Secure Software Development Life Cycle) process and implementation. Have a strong understanding of the OWASP top 10 Framework with Excellent communication skills to help guide / educate developers on creating code with security in mind in each phase of the SDLC.

Responsibilities :

Act as the point of contact for Application engineering and security.

Participate in security code reviews, and automate penetration testing against products prior to move to production.

Support engineering with implementing security fixes, ensuring security scanners are utilized correctly, and develop strategies to proactively secure their architecture.

Review development frameworks for security functionality, consistency, and uplift opportunities.

Create threat models and leverage them to prioritize time based on risk impact.

Educate and train product teams.

Evaluate client needs, coordinate design for a solution, and clearly communicate the value proposition of complex and highly technical subjects

Implement and / or assess existing security controls

Translates logical designs into physical designs. Produces detailed designs and documents all work using required standards, methods and tools, including prototyping tools where appropriate. Designs systems characterized by managed levels of risk, manageable business and technical complexity and meaningful impact. Works with well-understood technology and identifies appropriate patterns.

Client Job Description :

The Application Engineer, Cyber Security is responsible for building, managing and supporting information security that underpins all internal and external user technology services, according to security policies and best practices.

The Application Engineer, Cyber Security has strong development experience in numerous programming languages and is the subject matter expert (SME) for concepts behind security controls and how they apply to application development, web presence and API services. This individual is accountable for identifying weaknesses in our security posture within the application or web space while defining methods to achieve security control requirements via automation or highly efficient means that further support timely delivery with minimal overhead. They work across internal and external teams of infrastructure specialists and software engineers making sure services are delivered and used securely as required, offering advice and guidance on security decisions and ensuring the effective use of common tools and patterns.

The incumbent must have a service-oriented mentality, a high sense of ownership of the problems and requests assigned, a focus on managing and resolving issues in alignment with the SLAs, establishing and maintaining communication with technology customers to keep them updated with status of their requests, initiating and performing changes on production systems and proactively escalating any issues that cannot be resolved within the established timeframes.

Additional insights, experience or background in any of the following are also of great value : NIST, ISO27001, Data Protection, Python Development, Static Code Analysis, Dynamic Code Analysis, Penetration Testing, Containers, MicroServices, CI / CD Pipeline, Agile, Git, Jira, Docker, Kubernetes, cloud security (AWS, Azure, GCP) and design, process maturity, and other related focuses.

Primary Accountabilities :

Technical (80%)

• Be the security representative for multiple product lines and act as the point of contact for software engineering and security.
• Perform architecture reviews to steer projects in the right direction, participate in security code reviews, and automate penetration testing against products prior to move to production.
• Support software engineering with implementing security fixes, ensuring security scanners are utilized correctly, and develop strategies to proactively secure their architecture.
• Review development frameworks for security functionality, consistency, and uplift opportunities.
• Create threat models and leverage them to prioritize time based on risk impact.
• Evaluate client needs, coordinate design for a solution, and clearly communicate the value proposition of complex and highly technical subjects.
• Implement and / or assess existing security controls.
• Translate logical designs into physical designs; produce detailed designs and document all work using required standards, methods and tools, including prototyping tools where appropriate.
• Design systems characterized by managed levels of risk, manageable business and technical complexity and meaningful impact; works with well-understood technology and identifies appropriate patterns.

Project Management (20%)

• Work with application development teams to ensure secure software development lifecycle (S-SDLC) implementation and validation.
• Educate and train product teams.
• Evaluate client needs, coordinate design for a solution, and clearly communicate the value proposition of complex and highly technical cyber security subjects.

Specific Technical Skills Needed :

Security and Risk Assessment :

• Aware of Security governance principles and able to apply them to the enterprise
• Understands the legal and regulatory Issues relevant to the enterprise and does not place the enterprise at risk.

Security Engineering :

• Working knowledge of secure design principles
• Working knowledge of database security
• Working knowledge of cloud computing
• Working knowledge of Cryptography

Identity and Access Management :

• Physical and logical access
• LDAP
• Multi-factor authentication
• Session management
• Credential management

Software Development Security :

• Working knowledge of software development lifecycles
• Working knowledge of what software development methodologies are used in the enterprise and can explain what it means
• Familiar with DevOps concepts
• Working knowledge of security vulnerabilities and understands how the following work : Bounds checking, Input / output validation, Buffer overflow, Privilege escalation
• Working knowledge of secure coding practices
• Working knowledge of code repositories

Individual Competencies :

• Integrity : Gains the trust of others by taking responsibility for own actions and telling the truth.
• Teamwork : Builds relationships and works cooperatively with others, inside and outside the organization, to accomplish objectives to build and maintain mutually-beneficial partnerships, leverage information and achieve results.
• Adaptable : Responds to change with a willingness to learn new ways to accomplish work objectives with a positive attitude.

Innovative : Ability to develop, sponsor, or support the introduction of new and improved methods, products, procedures or technologies.

• Curious : A desire to inquire and learn, to seek new knowledge and wisdom, and to listen to the contributions of others with a genuine interest to better self, the team, and the organization.
• Analytical and Critical Thinking : Ability to tackle a problem by using a logical, systematic, sequential approach.
• Problem Solving : Gathers and analyzes information to generate and evaluate potential solutions to problems, issues and challenges while weighing the accuracy and relevance of the facts, data and information.
• Skills : *

Applications Security, S-SDLC, SDLC, OWASP Top 10, Developer, Cloud, Information security, Code Review, Threat Modeling, owasp, Application security, Security architecture, Vulnerability, code deployment

• Top Skills Details : *

Applications Security,S-SDLC,SDLC,OWASP Top 10,Developer,Cloud,Information security,Code Review,Threat Modeling

• Additional Skills & Qualifications : *

Required Qualifications :

Bachelor’s degree in Computer Science, Information Technology or related field

8-10 years of related work experience with application security, e.g. DAST, SAST, SCA, cloud security

Or any equivalent combination of experience and training / certification that provides the required knowledge, skills, and abilities needed to complete the major responsibilities / essential functions of the position

Certifications preferred. OSCP, CISSP, GCIH, GXPN, GPEN

Working experience in web and mobile application security

Working experience in distributed platform development security and design

In-depth knowledge of web and mobile security standards and best practices (OWASP, etc.)

Strong foundation in core information security principles and concepts (HTTPS, TLS, OAuth, etc.)

Working experience with industry tools and technologies such as Burp, Metasploit, etc.

Working knowledge of common languages

• Experience Level : *

Expert Level

About TEKsystems :

We're partners in transformation. We help clients activate ideas and solutions to take advantage of a new world of opportunity. We are a team of 80,000 strong, working with over 6,000 clients, including 80% of the Fortune 500, across North America, Europe and Asia. As an industry leader in Full-Stack Technology Services, Talent Services, and real-world application, we work with progressive leaders to drive change. That's the power of true partnership. TEKsystems is an Allegis Group company.

The company is an equal opportunity employer and will consider all applications without regards to race, sex, age, color, religion, national origin, veteran status, disability, sexual orientation, gender identity, genetic information or any characteristic protected by law.