Senior Application Security Test Engineer
Employment Type: Full-Time
-Experience in leading the creation and adoption of enterprise security testing tools.
-Software development & test, and web application penetration testing background.
-Experience working with development teams to define alternatives and recommending optimal solutions to meet security requirements in the design of new/enhanced systems.
-Partner, guide and inspire development teams to address security concerns.
-Web application penetration testing knowledge and experience in software development & testing.
-Expert knowledge in DAST solutions and techniques.
-Familiarity with SAST solutions and techniques.
-Expert knowledge in application vulnerability types, attack vectors and remediation approaches.
-Industry best practices for secure software development & testing as well as web application security; including IAST and RAST technologies.
-Experience with continuous delivery/continuous integration processes and procedures including implementing critical security considerations in automated workflows.
-Knowledge of web application full-stack architecture and network models.
-Demonstrate technical competency in security engineering based on hands-on experience or relevant qualifications.
-Expert understanding of the IP protocols and associated security mechanisms: TCP/IP, HTTP, SSL/TLS, PKI.
-Familiarity with well-known application security sources and standards such as OWASP, WASC and NIST.
-Experience with developing security testing software to aid in testing and automating dynamic application security testing.
-Knowledge of with SaaS/PaaS/IaaS security models.
-Expert understanding of automation development and techniques.
-Include a percentage of time spent for each accountability (total %’s should equal 100%).
-Ability to positively influence the behavior of peers and build relationships with other teams without direct authority over those teams
-Assess current practices and identify and implement relevant policies to ensure state of the art testing practices as they relate to security
-Mentor and help develop qualified Software QA staff and application developers and testers
-Constantly monitor new security research findings. Understand, learn and then apply new techniques, attack vectors and vulnerability types into the Security QA program
-Determine the selection of Software QA (SQA) program elements including supporting tools
-Define enterprise risk management and governance approach for SQA controls
-Ensure security of software produced or procured to prevent loss, inaccuracy, alteration, unavailability, or misuse of data
-Provide guidance around automation strategies to manage regression risk and enhance testing throughput
-Introduce automated testing of fixed vulnerabilities into continuous delivery/continuous integration processes and procedures
-Support the establishment of security requirements for the software development and/or operations and maintenance (O&M) processes
-Identify the opportunities for changes to software security design patterns and reference architecture.
-Partner with SSA team to integrate software security scanning and testing into software development, build and testing programs
-Develop, mentor and train application developers and SQA staff in application security best practices and secure coding
-Conduct software security testing, including penetration testing, to confirm the results of design and code analysis, investigate software behavior, and verify that the software complies with security requirements
-Perform software focused attack surface reviews and both static code, OSS and dynamic application assessments
-Review, inspect and walk through source code to help developers understand vulnerabilities and provide advice to developers on remediation
-Develop application specific threat models to identify security design flaws and provide guidance on application specific risks and controls. (complex to highly complex)
-Identify security vulnerabilities as a result of security bugs, coding errors, omissions, and defects
-Introduce new technologies for scanning vulnerabilities and work with application developers to ensure they are integrated and used consistently
-Define security requirements and guidelines to ensure repeatable processes.
-Design the strategy, standards, and architecture for the security aspects of the SDLC including application, mobile, web service, DevOps, cloud, and CI/CD efforts.
-Provide indicators and reports used help assess control effectiveness.
-Maintain lists of recommended secure software security design patterns, reference architecture and secure software frameworks
-Bachelor’s degree in Computer Science, Computer Engineering or a closely related IT field
-10 years total related experience
-Bachelor’s degree in Computer Science, Computer Engineering or a closely related IT field or equivalent
-5+ years of enterprise software development / testing experience. Java programming skills including knowledge of JSSE and other security features is preferred. Experience with NET/ASP/C# also a plus
-Development experience with strong Java programming skills including knowledge of JSSE and other security features
-Working knowledge of Java development environment including tools and framework used by developers, develops and testers (e.g. Eclipse, Spring, Jenkins, Maven, Jira, Selenium)
-Solid understanding of a variety of software security practices, secure code reviews, vulnerability scanning methods, threat modeling, security requirements analysis and architectural risk analysis
-Expert knowledge in application vulnerability types, attack vectors and remediation approaches
-Expert understanding of the IP protocols and associated security mechanisms: TCP/IP, HTTP, SSL/TLS, PKI
-Familiarity with well-known application security sources and standards such as OWASP, WASC, NIST and CVE
-Extensive applied knowledge with dynamic analysis tools and hacking tools
-Experience performing software security architecture, design and requirements analysis for large-scale enterprise systems
-Experience leading enterprise deployment of application security tools, services and controls
-Information Security and control certifications preferred (CISSP, GPEN, GWAPT, OSCP, CEH, etc.)
-Military education or experience may be considered in lieu of civilian requirements listed
* The salary listed in the header is an estimate based on salary data for similar jobs in the same area. Salary or compensation data found in the job description is accurate.
Loading some great jobs for you...