Application Security Engineer

***Hybrid, 3 days onsite, 2 days remote***

***We are unable to sponsor as this is a permanent full-time role***

A prestigious company is looking for an Application Security Engineer. This engineer will focus on web applications, secure SDLC, SAST, DAST, AWS/Azure vulnerability management, scripting/programming, etc.

Responsibilities:

• Application Security / Secure SDLC
• Build and optimize our security tooling stack, including SAST, DAST, SCA, and IaC.
• Implement DevSecOps principles and integrate tools into CI/CD pipelines and developer workflows.
• Define and improve secure SDLC processes – designing and implementing a developer friendly secure SDLC framework tailored to company’s delivery model.
• Automate security checks in CI/CD pipelines and developer tools to ensure continuous visibility and successful delivery.
• Build out process for threat modelling and secure design review process.
• Implement security for supply chain security, AI/ML application security, Open source etc.
• The use and maintenance of cloud and self-managed security scanning tools, manual source code reviews, and manual penetration assessments.
• Assist with application security vulnerability management including implementation of new vulnerability management tools.
• Perform ongoing reviews of application releases to ensure only secure and reviewed code is pushed to prod, with automation tasks as necessary.
• Develop scripts / automation to assist development teams with interpreting results from pipeline vulnerability verification reports to facilitate vulnerability remediation.

Qualifications:

• BS in Computer Science, Information Management, Information Security or other comparable technical degree from an accredited college/university desired.
• 5 Years’ experience in Application Security or Information Security environment.
• Experience writing scripts and working with containers in a CI/CD pipeline.
• Experience with CI/CD pipelines and software development/coding: Docker, Jenkins, GitHub, SVN, Terraform, and others.
• Strong familiarity with enterprise technologies; strong technical background and understanding of security-related technologies; prefer operational experience as an administrator, engineer, or developer and direct experience testing in commercial cloud environments (AWS, Azure, GCP, IaaS/PaaS/SaaS).
• Strong knowledge of cryptography (symmetric, asymmetric, hashing) and its various applications.
• Strong knowledge of common enterprise infrastructure technology stacks and network configurations.
• Exhibit ability to understand and modify code in a diverse range of programming languages and frameworks; must have direct practical experience with one or more high level programming languages.
• Deep knowledge of common web, API and cloud vulnerabilities (e.g. OWASP Top 10, CWE, auth flaws etc.).
• Deep understanding of vulnerabilities, reachability, exploitability and how they affect applications.
• Knowledge of how security fits into platform engineering and cloud native stacks.
• Deep understanding of application layer attacks and defense mechanisms (CCS, CSRF, SQLi, XXE, SSRF, broken access control etc.).
• Familiarity with API security (REST & GraphQL), Postman, OOWASP top 10).
• Proficiency with artifact repositories and implementing security controls around component ingestion.
• Familiarity with Kubernetes security, container scanning and cloud infrastructure as code.
• Ability to triage and prioritize vulnerabilities based on exploitability, impact and business context.
• Strong proficiency application security and vulnerability management.
• Strong experience with custom scripting (python, C , PowerShell, bash, etc.) and process automation.
• Some proficiency with common penetration testing tools (Kali, Armitage, Metasploit, Cobalt Strike, Nmap, Qualys, Nessus, Burp Suite, Wireshark etc.).
• Experience with Mainframes, Windows, Unix, MacOS, Cisco, platforms and controls.