SME - Application Security Lead
Posted on May 2, 2021 by Request Technology
*We are unable to sponsor as this is a permanent full time role*
A prestigious fortune 500 company is on the search for a Sr. Application Security Engineer. This role is a Subject Matter expert that has heavy application security experience and can help build a practice. The client wants someone who came up through development and then got into security web development. The client is looking for someone with experience with CI/CD, Cloud, Java, Python, Pen testing, and AWS containers.
- The Application Security Technical SME is responsible for the analysis, evaluation, and execution of an ideal application security offering that integrates development activities, information security, and the automated release methods within the CI/CD pipeline.
- From an Information Security interest, this role is expected to fully grasp the concepts behind security controls and how they apply to application development, secure infrastructure, and CI/CD environments.
- This individual is accountable for identifying weaknesses in our security posture within the application or web space while defining methods to achieve security control requirements via automation or highly efficient means that further support timely delivery and minimal overhead. Other key responsibilities include:
- Critical thinking and analysis in the security discipline space is essential, as this role will take the approach of identifying root cause of information security exposure across the enterprise, with or without obvious indicators of exposure.
- Partnering with teams across the IT organization and helping to influence decisions which lead to a high standard of security.
- The secure design, architecture, and implementation of new applications. This includes secure software development lifecycle (SDLC) practices which incorporate threat modeling and security testing.
- Define and publish Application Security standards in a practical and consumable format. Ensure compliance with applicable security controls when writing such standards.
- Present recommendations for review and validation at the Technical Assurance Group.
- Conducting technology research for innovation, continuous improvement, and knowledge sharing for the Application Security space. Develops a subset of the technology strategy as a result of this research.
- Teach, enable, and advocate key Architecture and Technical principles and implementation across all engineers inside the Product Engineering Organization.
- Organizing training to improve employees knowledge and skills for future organizational growth as it relates to Architecture principles and standards.?
- Facilitate and direct appropriate Centers of Enablement including initiation, administration, and retirement.
- Assist in the development of training for all personnel related to the Application Security space.
- Drive innovation of new solution and integration-level patterns, tools and practices, managing risk and controlling technology sprawl .
- Contribute to talent acquisition and upskilling in area of expertise.
- Bachelor s Degree in Computer Science (related) or equivalent experience as a hands-on security architect/senior security engineer.
- Previous experience in defining organization-wide security processes and methodologies, a proven leadership/influence style, customer-service oriented demeanor, problem-solving, effective reporting via metrics and indicators, and strong communications are all essential to this function.
- 9+ years of IT Security Experience. Industry certifications are beneficial (ie CISSP, CEH, GPEN etc).
- Highly technical and analytical expertise, with a proven deep background in security technology design, implementation, and delivery. This individual must be comfortable providing metrics, analysis, and quantitative/qualitative evidence when necessary to drive a security outcome.
- The ability to code is a mandatory skill (this qualification is non-negotiable). Of particular importance is the ability to work with Delivery Infrastructure coding (eg Terraform, other required Scripting such as Python), along with languages such as Java and Kotlin.
- A comprehensive understanding of typical exploits and associated implications is essential to ensure observations and findings can be not only remediated but treated in accordance with the risk-ranked potential impact.
- Deep understanding of frameworks such as MITRE ATT&CK and OWASP ASVS. Understand how to implement these into an Application Security program and assess the application threat landscape. Be able to use these frameworks in communication with stakeholders.
- Ability to identify appropriate findings in vulnerability scan results and communicate with development teams on how to best remediate.
- Understand Authorization Policy as Code practices and be able to "write" such policy as code. Possess the knowledge and ability to create Security Automations on AWS.
- Understand OIDC/OAuth/SAML architecture and use patterns.
- Demonstrated understanding of good software design/architecture principles.
- Demonstrated coaching/teaching skills for small teams and individuals.
- Ability to create training plans and materials for technical people.
- Strong quantitative, analytical, problem-solving skills, including the ability to accumulate, organize and assimilate large amounts of information.
- Ability to work independently, plan, and prioritize work to meet commitments aligned with organizational goals.
- Mindset to continuously improve the technical knowledge of engineering partners
- Focus on continual self-improvement to maintain expertise
- Ability to lead/co-lead Risk Assessments and Security Reviews.
- Ability to lead the technical aspects of an Incident Response.