Senior Application Security Engineer

Position: Senior Application Security Engineer

Location: 100% ONSITE - 80 Maiden Lane, New York, NY 10038

Duration: 12 months

Visa: GC 

Exp: 12 Years

All responses DUE by: 03/05/2025

Job Description:
Scope of services:

• My city is a single portal for all City services and benefits.
• The vision is a simple, seamless, and intuitive experience interacting with City government digitally.
• It is designed with New Yorkers at the centre of the process to prioritize features by conducting user research.
• My city produces value for New Yorkers early and often through phased releases.
• There are several phases within the My City portal work stream (Childcare, Business Portal, Workforce Development Services, and others).
• OTI Cyber Command is looking for additional support as the cyber threat landscape continues to evolve and Citywide cybersecurity solutions are deployed in large, complex networked environments.
• The needed resource skill set is specialized in providing guidance at various stages of planning and implementing security design, processes and solutions, testing and validation, and pivots between numerous technical projects, communicating status at various leadership levels.
• The resource will have significant interaction with NYC Cyber Command leadership, its engineering, architecture, and application security teams, incident response, and other cybersecurity practitioners.

Mandatory Skills/Experience

• 12 years of experience in application security, with a proven track record of conducting vulnerability assessments, penetration testing, and secure code reviews.
• Extensive experience in secure application development, including knowledge of security frameworks like OWASP Top 10, and the ability to guide development teams in implementing secure coding practices.
• Proficiency in Software Composition Analysis (SCA) tools (e.g., Veracode, AppSec) for identifying and managing vulnerabilities in open-source libraries and third-party components.
• Advanced knowledge of static and dynamic application security testing (SAST/DAST) tools (e.g., Veracode, AppSec, Burp Suite) and integrating these tools into CI/CD pipelines for automated security checks.
• Strong cloud security expertise, including securing applications and workloads on AWS, Azure, or Google Cloud Platform, and experience with Web Application Firewalls (WAF) and cloud-native security services.

Desirable skills/experience:

• Advanced cloud security experience: Experience securing cloud environments (AWS, Azure, Google Cloud Platform) with tools like Web Application Firewalls (WAF), and implementing IAM, encryption, and monitoring tools.
• Experience with scripting and automation using Python, Bash, or PowerShell to automate security tasks, integrate security testing tools, and improve the efficiency of security operations.
• Strong communication skills: Ability to effectively explain complex security concepts and risks to both technical teams and non-technical stakeholders, ensuring alignment on security measures.
• Leadership and mentoring skills: Experience leading security teams or initiatives, mentoring junior engineers, and fostering a culture of security awareness within the organization.
• Collaboration and cross-functional teamwork: Proven ability to work effectively with development, DevOps, and IT teams to integrate security into all aspects of the business, ensuring security goals align with business objectives.
• Highly flexible/willing to learn new technologies.
• Highly organized with excellent analytical, problem-solving, and decision-making skills.

Additional Qualifications:

• Certifications such as Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Cloud Security Professional (CCSP), or GIAC Web Application Penetration Tester (GWAPT) are highly preferred.
• Knowledge of compliance standards like NIST, PCI-DSS, and GDPR and how they apply to application security.