The Application Security Engineer evaluates application security in all phases of the software development life cycle. Works closely with team members to define application security best practices, performs software security architecture and design reviews, and supports the identification, interpretation, and remediation of vulnerabilities across a variety of applications, programming languages, and platforms.
· Supports the development of technical security safeguards to protect information systems from intentional (unauthorized) or accidental (inadvertent) access or destruction.
· Serves as a liaison between development teams and stakeholders to understand and formulate security requirements for project/program.
· Apply broad technical knowledge and skills to analyze, develop, create and implement process improvements, trouble shooting, and operational support.
· Defines, maintains, and enforces application security best practices within DevSecOps environment.
· Conducts vulnerability assessment and manual/automated code reviews.
· Explains and demonstrates vulnerabilities to application owners and provide recommendations for mitigation.
· Documents security defects in defect management system
· Identifies additional application security related tools, conducts tool analysis, and provided recommendations.
Bachelor’s Degree in Computer Science, Engineering, or other Engineering or Technical discipline or equivalent relevant experience.
Desired Security+, CEH, GWAPT, GWEB, GSSP, CSSLP or SSP
Relevant Work Experience:
3-7 years of experience in Application Security, DevSecOps, or Penetration Tester.
· Experience in Security tools like Nessus, HP Fortify, Burp Suite
· Experience in secure code review of Java applications
· Experience in Secure SDLC and DevSecOps principles and framework
· Experience in Python programming
· Working experience and knowledge of AWS CI/CD services, GitHub and Jenkins
· Understanding of entire technology stack of networks, databases, applications and endpoints
· Understanding of web service technologies such as XML, JSON, SOAP, and REST
· Experience with web system security concepts, including authentication, authorization (RBAC), encryption/hashing, SAML, and LDAP.
· Good knowledge of OWASP Top 10 such as cross-site scripting (XSS), sessions hijacking, SQL injection, CSRF (Cross-Site Request Forgery), and other attack vectors.
· Knowledge or experience with security technologies, single-sign-on and identity management technologies.
· Understanding of encryption, hashing, secure random number generation, key derivation, digital signatures, etc.
· Working experience and knowledge of operating systems (e.g.: Windows, UNIX/Linux) and databases (Oracle, MySQL).
· Knowledge of risk analysis standards (e.g. NIST 800-30, CVSS, AVSS)