Application Security Engineer - Vulnerability - Developer

Overview

Hybrid
$160,000 - $170,000
Full Time

Skills

DevSecOps
IaaS
Network
Software Development

Job Details

NO SPONSORSHIP

Application Security Engineering

We need somebody that came up as a software developer and now does application security.

This is a hands on Application Security role. You will be integrating tools into the CI/CD pipeline, doing vulnerability assessments etc. Developer background. Nice to have would be AI experience but not need to have.

SALARY: $160k - $170k plus 15% bonus

LOCATION: DALLAS, TX is the preference, but if you see somebody in Chicago they ll push it

Candidate would perform Network/Application and Web Application security. Also create custom scripts and perform automation while also perform security assessments on both legacy on prem and cloud environments. Candidate would also Identify, document and communicate vulnerabilities.

Primary Duties and Responsibilities:

Application Security / Secure SDLC

Build and optimize our security tooling stack, including SAST, DAST, SCA, and IaC.

Implement DevSecOps principles and integrate tools into CI/CD pipelines and developer workflows.

Define and improve secure SDLC processes

Automate security checks in CI/CD pipelines and developer tools

Build out process for threat modelling and secure design review process.

Implement security for supply chain security, AI/ML application security, Open source etc.

Review reports of the testing and conduct security risk assessments of the vulnerabilities.

The use and maintenance of cloud and self-managed security scanning tools, manual source code reviews, and manual penetration assessments.

Conduct IT/Security code review meetings to eliminate false positives and encourage collaboration between Security and IT development teams.

Assist with application security vulnerability management including implementation of new vulnerability management tools.

Qualifications:

Experience with CI/CD pipelines and software development/coding: Docker, Jenkins, GitHub, SVN, Terraform, and others.

(AWS, Azure, Google Cloud Platform, IaaS/PaaS/SaaS).

Good applicable knowledge of policy and procedure development, systems analysis, Information Assurance (IA) policy, vulnerability management, and risk management

Strong knowledge of cryptography (symmetric, asymmetric, hashing) and its various applications.

Strong knowledge of common enterprise infrastructure technology stacks and network configurations.

Exhibit ability to understand and modify code in a diverse range of programming languages and frameworks; must have direct practical experience with one or more high level programming languages.

Technical Skills:

  • Deep knowledge of common web, API and cloud vulnerabilities (e.g. OWASP Top 10, CWE, auth flaws etc.).
  • Deep understanding of vulnerabilities, reachability, exploitability and how they affect applications.

  • Familiarity with secure coding principles across multiple languages (e.g. python, Java, JavaScript etc.).
  • Knowledge of how security fits into platform engineering and cloud native stacks.
  • Deep understanding of application layer attacks and defense mechanisms (CCS, CSRF, SQLi, XXE, SSRF, broken access control etc.).
  • Familiarity with API security (REST & GraphQL), Postman, OOWASP top 10).
  • Proficiency with artifact repositories and implementing security controls around component ingestion.
  • Knowledge of shift-left strategies and embedding controls early in the development lifecycle.
  • Familiarity with Kubernetes security, container scanning and cloud infrastructure as code.
  • Ability to triage and prioritize vulnerabilities based on exploitability, impact and business context.
  • Strong proficiency application security and vulnerability management.
  • Strong experience with custom scripting (python, C++, PowerShell, bash, etc.) and process automation.
  • Some proficiency with common penetration testing tools (Kali, Armitage, Metasploit, Cobalt Strike, Nmap, Qualys, Nessus, Burp Suite, Wireshark etc.).
  • Experience with Mainframes, Windows, Unix, MacOS, Cisco, platforms and controls.
  • Experience with dedicated document management tools (e.g., DMS, PolicyTech) a plus.
  • Familiarity with application frameworks and their built-in security services and API s (i.e., Sun J2EE, MS .NET, OMG CORBA, Spring, etc.).
  • Knowledge of security architecture design and principles including confidentiality, integrity and availability.
  • Knowledge of automated code scanning tools and development pipeline tools.
  • Understanding of security concepts and practices, including those for authentication, authorization, access control and auditing as well as best practices (e.g. OWASP).
  • Familiarity with application authentication and authorization systems (i.e., CA SiteMinder, RSA SecurID/ACE, Active Directory, and LDAP).
  • Fundamental understanding of network and data communications technologies
  • Knowledge of (AWS, Azure, Google Cloud Platform) Cloud security concepts, best practices, and environments.
  • Education and/or Experience:
  • BS in Computer Science, Information Management, Information Security or other comparable technical degree from an accredited college/university desired.
  • 5+ Years experience in Application Security or Information Security environment.
  • Experience writing scripts and working with containers in a CI/CD pipeline.
  • Exposure to security architecture design through application development or knowledge of security concepts/best practices.

Employers have access to artificial intelligence language tools (“AI”) that help generate and enhance job descriptions and AI may have been used to create this description. The position description has been reviewed for accuracy and Dice believes it to correctly reflect the job opportunity.