Application Security Engineer

***Hybrid, 3 days onsite, 2 days remote***

***We are unable to sponsor as this is a permanent full-time role***

A prestigious company is looking for a Application Security Engineer. This role is focused on applications penetration testing, web application testing, risk assessments of vulnerabilities, C2 Infrastructure, Network testing, etc.

Responsibilities:

• Application Security Testing
• Perform application penetration testing as part of a team.
• Perform retests of vulnerabilities to verify previous findings have been remediated.
• Review reports of the testing and conduct security risk assessment of the vulnerabilities.
• The use and maintenance of cloud and self-managed security scanning tools, manual source code reviews, and manual penetration assessments.
• Conduct code scans using automated tools and risk rate the vulnerabilities according to the organization risk profile and mitigating controls.
• Conduct IT/Security code review meetings to eliminate false positives and encourage collaboration between Security and IT development teams.
• Assist with application security vulnerability management including implementation of new vulnerability management tools.
• Setup Command & Control C2 Infrastructure.
• Understand vulnerabilities and develop relevant payloads for use during pen testing activities.
• Perform independent reviews of company applications.
• Debrief users and provide remediation strategy on findings.
• Ensure alignment of security controls in company testing program and supporting services and related policies and procedures with applicable regulations and industry standard best practices.
• Perform ongoing reviews of application releases to ensure only secure and reviewed code is pushed to prod, with automation tasks as necessary.
• Develop scripts to integrate Security tools into the pipeline and assist development teams with interpreting results from pipeline vulnerability verification reports to facilitate vulnerability remediation.

Qualifications:

• BS in Computer Science, Information Management, Information Security or other comparable technical degree from an accredited college/university desired.
• 3 Years’ experience penetration testing.
• 5 Years’ experience in Information Assurance or Information Security environment.
• Experience writing scripts and working with containers in a CI/CD pipeline
• Exposure to security architecture design through application development or knowledge of security concepts/best practices
• Experience with CI/CD pipelines and software development/coding: Docker, Jenkins, GitHub, SVN, Terraform, and others.
• Excellent focused domain areas of expertise as well as a good breadth of experience across Network/Application Penetration Testing, Web Application Penetration Testing and more.
• Strong familiarity with enterprise technologies; strong technical background and understanding of security-related technologies; prefer operational experience as an administrator, engineer, or developer and direct experience testing in commercial cloud environments (AWS, Azure, GCP, IaaS/PaaS/SaaS).
• Good applicable knowledge of policy and procedure development, systems analysis, Information Assurance (IA) policy, vulnerability management, and risk management
• Good understanding of regulatory standards including CSF, NIST, PCI, SSAE 16, SAS 70, HIPPA, FIPS 199, COBIT 5 and others as needed.
• Strong knowledge of cryptography (symmetric, asymmetric, hashing) and its various applications.
• Strong knowledge of common enterprise infrastructure technology stacks and network configurations.
• Exhibit ability to understand and probe/exploit a diverse range of Network and Internet Protocols.
• Strong experience with custom scripting (python, C , PowerShell, bash, etc.) and process automation.
• Strong experience with database security testing (MSSQL, DB2, MySQL, etc.).
• Strong proficiency with common penetration testing tools (Kali, Armitage, Metasploit, Cobalt Strike, Nmap, Qualys, Nessus, Burp Suite, Wireshark etc.).
• Experience with Mainframes, Windows, Unix, MacOS, Cisco, platforms and controls.
• Familiarity with application frameworks and their built-in security services and API’s (i.e., Sun J2EE, MS .NET, OMG CORBA, Spring, etc.)
• Understanding of security concepts and practices, including those for authentication, authorization, access control and auditing as well as best practices (e.g. OWASP).
• Familiarity with application authentication and authorization systems (i.e., CA SiteMinder, RSA SecurID/ACE, Active Directory, and LDAP)