Applications Security Engineer

Role Summary :

The application security program is designed to ensure that any software developed or acquired meets stringent standards while enabling rapid innovation to meet customers ever? changing needs. The Application Security Engineer is responsible for providing application security services including secure coding techniques, security testing support and guidance for software development :

- Integrating security tools, standards, and processes into the product life cycle (PLC)

- Perform regular vulnerability assessment and penetration testing for Infrastructure, web applications, web services, mobile apps

- Supporting the incident response and architecture review processes whenever application security expertise is needed

- Identify, analyse and assess technical and organisational cybersecurity vulnerabilities

- Identify attack vectors, uncover and demonstrate exploitation of technical cybersecurity vulnerabilities

- Test systems and operations compliance with regulatory standards

- Select and develop appropriate penetration testing techniques

- Organise test plans and procedures for penetration testing

- Establish procedures for penetration testing result analysis and reporting

- Document and report penetration testing results to stakeholders

- Deploy penetration testing tools and test programs

- Managing annual penetration testing services, including both expert consulting and managed service

- Providing manual penetration testing and standards gap analysis services to internal business and technology partners

- Managing application framework and perimeter security improvement projects.

- Supporting vendor due diligence assessments to ensure 3rd party software meets Lebara security standards

- Producing metrics reporting the state of application security programs and performance of development teams against & EXPERIENCE :

- Familiarity and ability to explain common security flaws and ways to address them (e.g., OWASP Top 10, Sans 25)

- Basic development or scripting experience and skills. JavaScript, React, Node, .Net and/or Java are preferred

- A basic understanding of network and web related protocols (such as TCP/IP, UDP, HTTP, HTTPS, protocols)

- Familiarity with some common security libraries and tools (e.g., static analysis tools, proxying / penetration testing tools)

- Knowledge of the SSDLC process and its components.

- Knowledge in SOA (service-oriented architecture), Rest API technology and the API Gateway concept

- Knowledge of one of the three leading cloud services : Azure, GCP or AWS

- Experience in pen testing IaaS, SaaS, PaaS services, Container servers

- Experience in pen testing cloud services such as AWS, Azure

- Should have experience in vulnerability risk scoring system EPSS, CVSS etc.

- Experience in using opensource vulnerability intelligence to predict

- Must be proficient with security configuration standards such as CIS benchmark, NIST etc.

- Experience in maintaining external attack surface security posture

- Should have experience with attack path management

- Should have experience in Red Teaming exercises

- Should have experience in defense evasion, lateral movements, and privilege escalations techniques

- Very good knowledge in MITRE ATT&CK Framework & TTPS

- Very good knowledge in Windows operating system

- Very good knowledge in Linux servers

- Experience in pentest tools such as Kali Linux, Nmap NSE, Bloodhound, Metasploit, Password Crackers, Mimi Katz etc.

- Experience in vulnerability's scanner such as Rapid7 InsightVM, Tenable.io, Burp Suite, OpenVAS, NMAP NSE etc.

- Very good knowledge in scripting languages such as bash, python, PowerShell etc.

- Experience in application technology security testing (white box, black box and code review)

- Understanding of Apache web server and Unix server operating systems

- Knowledge of standard SDLC practices

- Ideally a relevant certification such as CISSP, CEH, OSCP, or CSSLP