Our client is an international, nonprofit membership association for information security leaders, committed to helping members learn, grow and thrive by providing world-class certification programs, education & training, and professional development opportunities that inspire a safe and secure cyber world. With more than 130,000 certified members, they empower professionals who touch every aspect of information security. The Information Security Team is a fun, collaborative, dedicated and fast-paced group thriving in a constantly changing environment and threat landscape. Their top priority is to ensure the security of the organization and promote awareness across the organization.
Summary Description of Position:
Under the direction of the Security Lead, the Application Security Engineer will be an integral part of the security team and will work cross-functionally with several lines of business to ensure the secure delivery of products and applications. The Application Security Engineer will be expected to attend stand-ups and strategy sessions to identify areas of risk and offer consulting on best practices. The Application Security Engineer will act as a champion and will formalize the integration of application security into our current processes and tools.
Duties and Responsibilities:
The Application Security Engineer will be expected to facilitate technical design reviews, perform code analysis, offer remediation recommendations, perform manual and dynamic security testing, document and present all findings. The Application Security Engineer will work closely with the Development, Release, and QA teams to identify and coordinate security testing, validate, test, and vet both internally and externally developed applications. As an Application Security Engineer, you will act as a DevOps Engineer that will be responsible for secure application delivery as well as the underlying infrastructure. The Application Security Engineer must be comfortable with securing cloud-based products in environments such as AWS and Azure. Additionally, this position will provide security risk assessments, create threat models and assist the Offensive Security Engineer with scoping penetration tests. In addition to the described daily duties, the individual will assist the security engineering team in the management of security technologies administered by the group (e.g. WAF, Firewall, IDS, and SEIM). This would be an “as needed” function, which is primarily to provide coverage for those duties when individuals on the security engineering team are out of the office for training or vacation. Additionally, the Application Security Engineer will be expected to participate in the CSIRT team and act as a Subject Matter Expert when dealing with the continuity of our operations and when responding with cyber incidents.
• Bachelor’s degree in computer science, information systems, related engineering field, or will consider relevant work experience in lieu of a degree. • 5+ years’ experience in Information Security
• 3+ years’ Secure Development experience
• Application Knowledge and understanding of automation and scripting languages.
• Application Experience with implementing Secure Development Lifecycle in an agile environment. • First-hand experience with architectural reviews, application reviews, and penetration testing.
• Application Experience with CI processes, particularly with building security practices into the pipeline.
• Ability to write some code, as needed, to conduct security-focused testing.
• Application Experience with common testing tools such as Veracode, Fortify, Zap, Burp, and fiddler among others.
• Application Understanding of common vulnerabilities & remediation.
• Strong design & code review skills. • A solid understanding of Microsoft platforms such as .Net, Windows, C#, Azure. • General Knowledge of cloud security, API security, and associated best practices. Skills/Competencies: • Ability to demonstrate and support the 5 Company Core Values: Integrity, Excellence, Unity, Accountability, Agility • You are an architect, who can conduct architecture reviews of new systems and solutions. • You are a builder, who can build and integrate application security in our SDLC. • You are a collaborator, who likes to engage with the team and the industry. • You are a team player, who will jump in and assist in other security functions as needed. • You are a leader, who will use your knowledge and to train and guide developers and engineers • This position will require an individual who demonstrates a passion for application security, creative and critical thinking, strong analysis skills, the ability to work in a fast-paced environment, and must have familiarity with agile, continuous integration, and continuous deployment. • Experience in securing SaaS-delivered offerings in multiple cloud environments deployed with automation & orchestration. Physical & Mental: • Regular daily attendance at the ISC2 office • Work extended hours, when necessary • Work in an office environment using dual monitor computer screens