Engineer, Application Security- (Open to remote)

Penguin Random House is seeking an Application Security Engineer to join the IT Security team.  This position will be responsible for advancing Secure Software Development Life Cycle (SDLC) practices and incorporating Application Security services and technologies to achieve a security-first design in all of Penguin Random House’s applications.  In addition, the individual will be expected to contribute to and help deliver services and projects across various aspects of information security.   

The individual will collaborate with developers and business stakeholders from relevant technical teams to evaluate the security architecture of new products and features through application security assessments.  They will prioritize and provide guidance on mitigating identified weaknesses and vulnerabilities while working with development teams to define and promote security best practices. 

The ideal candidate will have experience in at least one of the following areas: securing workflows in AWS and Azure, proficiency in SecDevOps and automation, familiarity with secure coding practices, or a background in application development with a desire to move into application security. In this role, you will establish cross-functional relationships with team members while being a trusted resource for Development. You will also maintain a hands-on role in implementing solutions and crafting specifications for those teams.   

Specific responsibilities include:

• Develop and refine our core infrastructure architecture to minimize the vulnerability of essential services and reduce the impact of potential security exploits. 

• Strategize and implement application security architectures that are in line with the company’s business objectives, ensuring adherence to privacy standards and compliance requirements. 

• Utilize scripting languages (Python, Ruby, Bash, etc.) to build automation tools as needed. 

• Create and deliver presentations and documentation to educate developers and operations teams on application security best practices and secure coding techniques.  

• Identify and assess threats, vulnerabilities and potential exploits through architecture design reviews, threat modeling, code reviews, SCA/SAST/DAST assessments and collaborate with developers/engineers to remediate issues. 

• Formulate and establish application security policies, standards and guidelines to support the secure development of products and services. 

• Collaborate with the DevOps team to enhance Application Security, integrating security tools into the CI/CD pipeline, including container security, SCA/SAST, DAST, IAST, and third-party vulnerability Scanning. 

• Partner with security stakeholders across the organization to assist delivery teams in conceptualizing and implementing security-focused projects and initiatives. 

Preferred qualifications include: 

• Bachelor's degree in computer science or a related field, supplemented by a minimum of five years of professional experience encompassing a robust technical understanding and practical involvement in secure software development, security engineering, DevOps, application penetration testing, and/or negative QA testing. 
•  Proficient in effective communication, interpersonal relations, and organizational management. 

• Experience with application security tools such as SCA, SAST, DAST, Penetration testing, and Fuzzing. 

• Comprehensive knowledge of prevalent software and web application security vulnerabilities, including OWASP Top 10 and SANS/CWE Top 25. 

•  Expertise in conducting security assessments for web and mobile applications based on OWASP ASVS/M-ASVS and other testing guidelines. 

• DevOps experience with building and deploying applications/infrastructure with the following technologies:  GitLab/GitHub, Ansible, Jenkins, etc. Advanced understanding and experience with web architectures, web applications, APIs, mobile applications, desktop applications, Unified Communications (including VoIP and SMS), and the underlying technology of cloud infrastructure. 

• Experience securing DevOps, including continuous integration, configuration management, and continuous deployment. 

•  Demonstrated ability in leading code reviews, executing threat modeling, and conducting penetration tests. 

• Industry-recognized certification in security is a plus (e.g., CISSP, CISA, CISM, CRISC, CEH, etc.) 
• Bilingual in Spanish preferred. 

 This position is open to remote candidates.     

The salary range for this position is $100,000 - $135,000. All positions are currently eligible for annual profit award or bonus, subject to Company results.   

Please apply by April 4th using our online application process, and please include your resume, cover letter, and salary requirements.  

Salary : $100,000 - $135,000