Application Security Engineer

The security specialist will be collaborating closely with our Application Development, DevOps and Production Support teams with a focus on defining processes and standards, ensuring that corporate requirements and best practices are implemented in SDLC. In this role, the specialist will collaborate closely with all our internal and our customer’s development teams to ensure adherence to security policies, processes and standards, provide information security recommendations and guidance in order to identify, manage, and mitigate security risks.

The applicant will have a strong knowledge of application security and data protection, demonstrate competencies in legacy and modern web application development, data protection and privacy, application architecture and frameworks, application security industry best practices, application vulnerability types, threat vectors and remediation approaches, development methodologies, application security testing tools, familiarity with APIs for integration, process documentation, and vulnerability management.

Areas of Responsibility

• Perform threat modelling, risk assessment, secure design and source code review for applications
• Perform system and application security requirements review, definition and clarification
• Collaborate closely with development teams to assess the security posture/risk of the product features being developed and help integrate the best security practices into their development processes and source code security review
• Support the application team as well as development teams to design and implement processes and/or tools for secure code reviews and security testing
• Develop abuse use cases for project-related security testing in alignment with the security requirements objectives
• Perform targeted security tests to assist in detection and remediation validation of security relevant defects and vulnerabilities
• Conduct application security assessments, contribute to the security enhancement of the Systems Development Life Cycle (SDLC), provide actionable security recommendations for the development of various types of applications: web, mobile, embedded, etc.
• Recommend security solutions, develop and implement security and compliance tools in support of security analysis processes
• Incorporate security tools/tasks into automated product development and deployment lifecycles (SAST/DAST/IAST integration into CI/CD pipeline)
• Implement security culture, tools and processes into software development environment
• Collaborate closely with product and platform teams to design and implement security controls and best practices
• Provide secure application development training to developers
• Develop and maintain a balanced application security programme based on a well-defined application security framework
• Stay current with security industry trends and implement best practices within Secure SDLC
• Investigate and pilot commercial and open-source application security tools
• Participate in the development of corporate documents on system and application security
• Develop corporate documents, technical reports, metric reporting and security related presentations

Qualifications

• Bachelor's or Master’s degree in computer science or related field or equivalent experience, depending on the role level
• 4+ years of experience with application security architecture with expertise in applying secure software development methods within the SDLC, designing and building secure software systems
• Solid understanding of fundamental application security building blocks such as authentication, authorization, data validation, encryption and security assurance
• Strong familiarity with application security concepts/standards/laws/best practices (e.g. OWASP, NIST, CIS, ISO 15408, ISO 27xxx, PCI DSS, EU GDPR)
• Experience of mentoring, advising or guiding teams to follow architectural or security best practices
• Experience of conducting security code review, application threat modelling and security risk assessment
• Understanding of the TCP/IP Stack, web application architecture, encryption fundamentals and OWASP Top 10
• Strong desire to grow in both engineering and security expertise
• Good knowledge of software development processes, integration of security assessments in Software Development Life Cycle (SDLC) process
• Understanding of Agile/DevOps principles
• Familiarity with code reviews, application security tools and techniques
• In-depth, hands-on understanding of application architectures and technology (including web applications, mobile technology, identity and access management) Desired Skills
• Experience of performing application security assessments such as threat modelling, security testing, vulnerability management and remediation
• Experience with or knowledge of security testing tools such as SAST or DAST
• Good understanding of at least two of the following programming languages (i.e. the ability to understand the issue by looking at code snippets): C#, C++, Java, Python, JS
• Experience in application development, secure coding and scripting languages for automation is an advantage
• Experience with Microsoft Cloud Security
• Experience with architecture security design and review is an advantage
• Knowledge of vulnerability management and security testing tools such as Acunetix, Nessus, Nmap, Burp, ZAP, Kali Linux

Personal Skills

• Strong analytical and problem-solving skills
• Ability to research, analyse and resolve complex problems with minimal supervision and escalate issues as appropriate
• Strong ability to learn and research new things, including tools, languages, frameworks, etc.
• Self-starter; ability manage multiple tasks according to priorities; result-oriented mindset and proven ability to meet deadlines
• Strong interpersonal skills
• Experience of evaluating and selecting toolsets
• Excellent documentation skills
• Able to work independently or with a team
• Able to multi-task and consistently deliver to deadlines
• Excellent communication skills: presentation, written and verbal.