Application Security Manager - Remote

Job Summary

Our CAST (Clark Associates Security Team) is committed to maintaining the highest standards of security and integrity in all our applications and systems. We are seeking a Hands-On Senior Application Security Manager who will lead our application security efforts while actively participating in technical tasks. In this role, you will function as a senior application security engineer who also guides and mentors the team. You will be instrumental in integrating security practices throughout the software development lifecycle (SDLC), securing containerized applications, securing our ecommerce platforms, and enhancing our overall security posture.

Responsibilities

Technical Leadership:

• Actively perform security assessments, code reviews, penetration testing, and vulnerability management.
• Develop and implement security measures to protect applications, including those running in containerized
• Stay current with the latest security threats, vulnerabilities, and technologies.
  
  

Team Leadership:

• Lead, mentor, and provide technical guidance to a team of application security engineers and analysts.
• Foster a collaborative environment that encourages knowledge sharing and continuous learning.
  
  

Program Management:

• Oversee the integration of security practices into all stages of the SDLC.
• Implement security tools and processes within CI/CD pipelines and development workflows.
• Establish metrics and reporting mechanisms to track the effectiveness of the Application Security program.
  
  

Security Control Integration:

• Collaborate with development and DevOps teams to ensure secure coding practices and secure deployment of containerized applications.
• Integrate security testing tools into CI/CD pipelines for both traditional and containerized applications.
  
  

Policy Development:

• Establish and enforce secure coding standards, policies, and procedures across the organization.
• Ensure compliance with relevant security standards and regulations.
  
  

Risk Management:

• Identify, assess, and prioritize application security risks, including those specific to container technologies.
• Develop and oversee remediation plans to address identified vulnerabilities.
  
  

Collaboration:

• Work closely with product managers, developers, and other stakeholders to integrate security requirements into product development.
• Provide security design reviews and consultations for new and existing projects.
• Advocate for security best practices across the organization.
  
  

Reporting:

• Provide regular updates on security metrics, program status, and risk assessments to executive leadership.
• Communicate security issues and strategies effectively to both technical and non-technical audiences.
  
  

Physical Requirements

• Work is performed while sitting/standing and interfacing with a personal computer.
• Requires the ability to communicate effectively using speech, vision, and hearing.
• Requires the regular use of hands for simple grasping and fine manipulations.
• Requires occasional bending, squatting, crawling, climbing, and reaching.
• Requires the ability to occasionally lift, carry, push, or pull medium weights, up to 50lbs.
  
  

Remote Work Qualifications

• Access to a reliable and secure high-speed internet connection. Cable or fiber internet connections (at least 75mbps download/10mbps upload) are preferred, as satellite connections often cannot support the technologies used to perform day-to-day tasks.
• Access to a home router and modem.
• A dedicated home office space that is noise- and distraction-free. The space should have strong wireless connection or a wired Ethernet connection (wired connection is preferred, if possible).
• A valid, physical address (apartment, suite, etc.). PO Boxes are not supported, as a physical address is required for you to receive your computer equipment.
• The desire and ability to work and communicate with other team members via chat, webcam, etc.
• Legal residents of one of the following states: (AK, AL, AR, AZ, CT, DE, FL, GA, IA, ID, IN, KS, KY, LA, MD, ME, MI, MN, MO, MS, NC, ND, NH, NM, NV, OH, OK, PA, SC, SD, TN, TX, UT, VA, VT, WI, WV, or WY). H-1B Visa Sponsorship Not Available, W2 only.
  
  

Experience

• Minimum of 5 years of hands-on experience in application security engineering.
• Proven experience leading or mentoring a team of security professionals.
• Extensive experience integrating security into the SDLC and CI/CD pipelines.
• Demonstrated expertise in securing containerized applications and environments.
  
  

Education

• Bachelor's degree in Computer Science, Information Security, or a related field; Master's degree preferred.
  
  

Certifications (Preferred)

• Certified Information Systems Security Professional (CISSP)
• Certified Secure Software Lifecycle Professional (CSSLP)
• GIAC Web Application Penetration Tester (GWAPT)
• Certified Kubernetes Security Specialist (CKS)
• Certified Information Security Manager (CISM)
  
  

Desired Traits

Technical Expertise

Application Security:

• Deep understanding of application security principles, threats, and mitigation strategies.
• Proficient with tools like OWASP ZAP, Burp Suite, Checkmarx, Fortify, and Veracode.
• Experience with OWASP Top 10, OWASP ASVS, and secure coding standards.
• Understanding of various API’s (REST) API Frameworks and API Security.
  
  

Container Security:

• Strong knowledge of containerization technologies (e.g., Docker, Kubernetes).
• Experience securing containerized applications and implementing best practices for container security.
• Familiarity with container security tools like Aqua Security, Twistlock (Palo Alto Prisma), or Sysdig Secure.
  
  

CI/CD and DevOps:

• Proficient with CI/CD tools such as Jenkins, GitLab CI/CD, or Azure DevOps.
• Experience integrating security tools into CI/CD pipelines for automated testing.
  
  

Cloud Security:

• Experience with securing applications in cloud environments (e.g., AWS, Azure, GCP).
• Familiarity with cloud security services like AWS Security Hub or Azure Security Center.
  
  

Programming and Scripting:

• Strong coding skills in languages such as Java, C#, Python, JavaScript, or similar.
• Ability to conduct code reviews and guide developers on secure coding practices.
  
  

eCommerce Security:

• Experience with identifying, mitigating, and preventing security threats to ensure the safety and privacy of customer data and the integrity of the ecommerce systems.
• Conduct regular security assessments and audits of the ecommerce platform to identify vulnerabilities.
• Ensure that ecommerce platform complies with relevant regulatory standards such as PCI-DSS, GDPR, and CCPA.
• Familiarity with Web Application Firewalls and WAF logs.
  
  

Incident Response:

• Oversee incident investigation efforts, including forensic analysis, to determine the root cause of incidents.
• Coordinate with cross-functional teams to ensure prompt and effective resolution of security incidents and prevent recurrence.
  
  

Skills

• Leadership: Proven ability to lead and mentor a technical team effectively.
• Communication: Excellent verbal and written communication skills; capable of explaining complex security concepts clearly.
• Problem-Solving: Strong analytical and troubleshooting skills in resolving security issues.
• Industry Knowledge: Up-to-date with the latest trends in application and container security.
• Time Management: Ability to manage multiple projects and priorities efficiently.
  
  

Company Overview

The foodservice professional’s premier source for restaurant equipment, supplies, and knowledge online. Our purpose is to empower and equip people to run their businesses more profitably and efficiently.

Benefits

• Medical
• Vision
• Dental
• PTO
• Paid Maternity Leave
• Paid Parental Leave
• Life Insurance
• Disability
• Dependent Care FSA
• 401(k) matching
• Employee Assistance Program
• Wellness Incentives
• Company Discounts
• AT&T & Verizon Discount
• Bonus Opportunities
  
  

Available at HQ Locations Only

• On-Site Fitness Centers
• Dog-friendly Offices