Software Engineer

Job Description

Strategic Planning:

- Align application security initiatives with business goals; refine Product Security processes and tools.

Technical Leadership:

- Stay updated on the latest trends and advancements in application security and apply them to continually improve the organizations security program.
- Recommend mitigations for vulnerabilities; manage third-party and open-source software risk.

Architecture and Design:

- Review application designs for security best practices.
- Design, enhance, and advocate for the threat modelling process. Conduct threat modelling and advise product teams on implementing appropriate security controls.

Security Reviews:

- Conduct security assessments throughout the development lifecycle.
- Collaborate with development teams to remediate security vulnerabilities.

Code Review and Analysis:

- Conduct code reviews and implement automated code analysis tools.

Secure Development Practices:

- Enforce secure coding practices, train developers in secure coding.

Incident Response/Customer Escalations:

- Lead incident response efforts related to application security incidents.
- Work with cross-functional teams to investigate and remediate security breaches.

Policy and Standards:

- Develop and enforce application security policies; ensure compliance with industry standards.

Security Testing:

- Oversee the implementation of security testing methodologies
- Conduct Penetration Testing activity for applications/systems

Security Awareness:

- Promote security awareness across engineering; conduct training for development teams on Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).

Collaboration:

- Collaborate with cross-functional teams, including development, operations, GIS, etc., to integrate security into all aspects of the software development lifecycle and improve security maturity.

Documentation and Reporting:

- Maintain comprehensive documentation of security processes/policies; produce maturity status reports for leads.
- Generate reports and conduct peer reviews.

Research and Innovation:

- Stay informed on emerging threats and vulnerabilities, and proactively implement innovative security solutions.

Vendor and Tool Evaluation:

- Evaluate and recommend security tools/technologies; Manage vendor relationships

What You Need To Succeed

- Industry standard best practices on application security controls, requirements, features, and specifications
- Application security issues, weaknesses, vulnerabilities, threats, risks, and impacts of exploitation
- Knowledge of common technologies used in web applications (such as JavaScript, HTML, DHTML)
- Familiarity with Security Standards and groups (OWASP, PCI, SANS, OSSTMM etc.)
- Strong vulnerability assessment experience of web, mobile and thick client applications, RESTful & JSON APIs, web servers, databases, and hosting environments (cloud, off-cloud, Containers)
- Strong experience in manual vulnerability assessment and penetration testing
- Hands on experience on Application Security tools such as Fortify, WebInspect, Burp, etc.
- Experience in planning, researching and developing security policies, standards and procedures in line with industry best practices
- A natural curiosity to learn how things work, and more importantly, how they can be made to work outside of their intended purposes, (i.e. the ethical hacker mentality)
- Preferably to have application security penetration testing related certifications, (e.g. GWAPT, OSWE, OSCP, GPEN, CPTE, CEH, GWEB, GCIH, etc.)
- Highly desirable to have general information security related certifications, (e.g. CISSP, CISM, GSEC, CCSP, etc.)
- Should have excellent team playing and collaborative skills, to work with multiple stake holders.
- Strong analytical, troubleshooting, writing, communication, and consultancy skills
- Possess a commitment to quality and a thorough approach to work

---