Application Security Engineer

Overview

Hybrid
$160,000 - $170,000
Full Time

Skills

Application Security
SAST
DAST
SCA
DevSecOps
Cloud Security
penetration testing

Job Details

***Hybrid, 3 days onsite, 2 days remote***

***We are unable to sponsor as this is a permanent full-time role***

A prestigious company is looking for an Application Security Engineer. This engineer will focus on web applications, secure SDLC, SAST, DAST, AWS/Azure vulnerability management, scripting/programming, etc.

Responsibilities:

  • Application Security / Secure SDLC
  • Build and optimize our security tooling stack, including SAST, DAST, SCA, and IaC.
  • Implement DevSecOps principles and integrate tools into CI/CD pipelines and developer workflows.
  • Define and improve secure SDLC processes designing and implementing a developer friendly secure SDLC framework tailored to company s delivery model.
  • Automate security checks in CI/CD pipelines and developer tools to ensure continuous visibility and successful delivery.
  • Build out process for threat modelling and secure design review process.
  • Implement security for supply chain security, AI/ML application security, Open source etc.
  • The use and maintenance of cloud and self-managed security scanning tools, manual source code reviews, and manual penetration assessments.
  • Assist with application security vulnerability management including implementation of new vulnerability management tools.
  • Perform ongoing reviews of application releases to ensure only secure and reviewed code is pushed to prod, with automation tasks as necessary.
  • Develop scripts / automation to assist development teams with interpreting results from pipeline vulnerability verification reports to facilitate vulnerability remediation.

Qualifications:

  • BS in Computer Science, Information Management, Information Security or other comparable technical degree from an accredited college/university desired.
  • 5+ Years experience in Application Security or Information Security environment.
  • Experience writing scripts and working with containers in a CI/CD pipeline.
  • Experience with CI/CD pipelines and software development/coding: Docker, Jenkins, GitHub, SVN, Terraform, and others.
  • Strong familiarity with enterprise technologies; strong technical background and understanding of security-related technologies; prefer operational experience as an administrator, engineer, or developer and direct experience testing in commercial cloud environments (AWS, Azure, Google Cloud Platform, IaaS/PaaS/SaaS).
  • Strong knowledge of cryptography (symmetric, asymmetric, hashing) and its various applications.
  • Strong knowledge of common enterprise infrastructure technology stacks and network configurations.
  • Exhibit ability to understand and modify code in a diverse range of programming languages and frameworks; must have direct practical experience with one or more high level programming languages.
  • Deep knowledge of common web, API and cloud vulnerabilities (e.g. OWASP Top 10, CWE, auth flaws etc.).
  • Deep understanding of vulnerabilities, reachability, exploitability and how they affect applications.
  • Knowledge of how security fits into platform engineering and cloud native stacks.
  • Deep understanding of application layer attacks and defense mechanisms (CCS, CSRF, SQLi, XXE, SSRF, broken access control etc.).
  • Familiarity with API security (REST & GraphQL), Postman, OOWASP top 10).
  • Proficiency with artifact repositories and implementing security controls around component ingestion.
  • Familiarity with Kubernetes security, container scanning and cloud infrastructure as code.
  • Ability to triage and prioritize vulnerabilities based on exploitability, impact and business context.
  • Strong proficiency application security and vulnerability management.
  • Strong experience with custom scripting (python, C++, PowerShell, bash, etc.) and process automation.
  • Some proficiency with common penetration testing tools (Kali, Armitage, Metasploit, Cobalt Strike, Nmap, Qualys, Nessus, Burp Suite, Wireshark etc.).
  • Experience with Mainframes, Windows, Unix, MacOS, Cisco, platforms and controls.

Employers have access to artificial intelligence language tools (“AI”) that help generate and enhance job descriptions and AI may have been used to create this description. The position description has been reviewed for accuracy and Dice believes it to correctly reflect the job opportunity.