What you will do:
To drive integrating security seamlessly into the Software development lifecycle, the Lead Application Security Engineer will serve as a technical subject matter expert working with Technical teams. This individual will collaborate with teams and vendors to determine security requirements and support all phases of integration, operations, and maintenance to ensure a secure software environment. They will be able to work independently or in a team environment.
- Provide subject matter expertise on secure coding practices and security design based on current knowledge of security threats and vulnerabilities that could impact the technology stack
- Support definition of Secure SDLC standard to include security architecture, design, and coding requirements for infrastructure, application, and data to align with application security maturity model and adopt a shift-left approach for security.
- Evaluate various application security tools, including SAST, DAST, SCA, IAST, and Pen Testing, and operationalize security tools for integration with CI/CD.
- Explains and interprets the vulnerability report items to development staff.
- Perform application testing and review security test results from scans and penetration testing to identify possible vulnerabilities that may be exploited and propose remediation solutions or mitigation controls.
- Develop security controls and processes for products and services developed and deployed for both cloud environments, preferably GCP
- Perform threat modeling, conduct security architecture reviews, and provide training to architects and developers to enhance the adoption of secure coding practice within the product development lifecycle.
- Provide security-related coaching and expertise to drive and elevate security expertise within the development teams
- Lead security innovation and best practices in product development through collaboration and learning from industry professionals and consortiums
- This position is also subject to being "on-call" for emergencies requiring immediate resolution.
What you need to have:
- QUALIFICATION REQUIREMENTS:
- Minimum 4-6 yrs of experience building production web applications and services in at least two on some of the following languages: Node JS, Java, React-Native, Android / Flutter,
- Experience performing Red Team operations in enterprise environments
- Experience in software coding/development including, scripting languages
- Building, deploying and managing Red Team operational infrastructure
- Knowledge of adversarial TTPs
- Experience with compromise and lateral movement in Mac, Linux, and Windows environments
- Open-source intelligence gathering and social engineering
- Web and mobile application assessments
- Wireless and network assessments
- Experience with custom payloads and exploit use in a production environment
- Desired Skills and Credentials:
- CVE/Bug Bounty/Responsible disclosures
- Knowledge of secure architecture and design patterns for Web, Mobile, and Microservices
- CI/CD and Appsec Tools: Sonar, Fortify, Checkmarx
- Reverse Engineering and Fuzzing to identify potential vulnerabilities
- Exploit development
- Security / Forensics Tools: Burp, Nmap, Nessus, NetStumbler, Cain & Abel, THC Hydra, W3af, GFI LANguard, Wireshark (Tshark), WinDump (TCPDump), Web inspect, tcpreplay, Access Data FTK, Encase, Helix, etc.
- OS & Testing Distros: RH Linux, CentOS, Fedora, Windows / XP / 7 / 10 / BackTrack, Kali Linux, PentestBox etc.
- Frameworks/Guidelines: ISO27001, NIST, ITU-T, OWASP, WASC, etc.
- Information security certifications: GPEN, OSCP, OSCE, OSWE