Job ID: 19-32331
The Application Security Engineer will be a part of the Cybersecurity Team focused on general application security, DevSecOps principles, and code quality. The Cybersecurity Team works with application development teams to ensure technology security and vulnerabilities are addressed and remediated throughout the system development life cycle (SDLC).
Key Responsibilities and Requirements-
- 5+ years in application penetration testing.
- 5+ years in software development.
- Ability to work in a highly collaborative and dynamic, cross-functional team.
- Conduct application security assessments and penetration tests (web, mobile, web service, etc.).
- These assessments involve manual testing and analysis as well as the use of automated application vulnerability scanning/testing tools and/or code review tools.
- Perform threat models and risk assessments to characterize the risk and severity posture of large-scale commercial or in-house enterprise applications.
- Experience programming and scripting and ability to develop or adapt custom tooling to solve new needs.
- Experience performing baseline static/dynamic application security assessments (SAST/DAST) on new applications and changes to applications.
- Write a security assessment and application threat profile reports.
- Maintain partnerships with application development teams, participate in corrective action plans for identified issues.
- Articulate risk and business impact to stakeholders.
- Provide on-the-job training and mentoring to other members of the team.
- Track and research the latest developments in vulnerability research.
- Strong understanding of vulnerabilities, common attack vectors and how to resolve them.
- Attacker mindset ability to think about creative threats and attack vectors.
- Well-rounded background in host, network and application security.
- Familiarity with cloud platforms (preferably AWS).
- Experience with Agile Practices like Scrum, Kanban, CI, CD
- DevSecOps knowledge of areas such as tools/capabilities, monitoring, scripting, and metrics preferred.
- Experience delivering secure application development and application security testing training.
- Familiarity with OAuth2.0 and OpenId Connect protocols.
- Working knowledge of industry and commonly adopted secure standards, practices (e.g. applicable NIST standards, CIS, ISO, OWASP, SANS, BISMM, and CERT).
- Certifications (Certified Ethical Hacker (CEH) GIAC Penetration Tester (GPEN) GIAC Certified Forensic Examiner (GCFE)), training on hands on exploit development are plus.
- Administration experience with any of the following: Nessus, Rapid7, Burp Suite, Metasploit and other scanning and analysis solutions.
- Airline or travel industry experience a bonus.