Application Security Engineer

H-E-B is a leading innovator in technology, and our Information Solutions Partners collaborate to design, construct, implement, and support technology solutions to help make us the Greatest Retailing Company.

As an Application Security Engineer, you will work closely with Product Design, Software Development, Production Operations, and other members of the Security group to maintain and enhance the security of our mobile, web, and server software applications. This work involves several technology stacks and multiple hardware platforms.

Do you have a:

HEAD FOR BUSINESS- the willingness to maintain / gain new technical knowledge?

HEART FOR PEOPLE- the ability to present complex technical and security-related info so it-s easily understood by many?

PASSION FOR RESULTS- the ability to advise on development / acquisition projects to ensure the best security-related outcomes?

RESPONSIBILITIES INCLUDE:

• Designs, integrates, and tests a suite of tools for security management of multi-tenant private and public cloud application services.
• Developing secure design patterns for cloud architectures developed in public or private cloud environments.
• Support vendor and partner security assessments.
• Actively audit the infrastructure and applications for security problems while prioritizing fixes.
• Build repeatable and testable security infrastructure.
• Research emerging trends and technologies to assess the threats they may face.
• Provide security expertise on system, network, encryption, authentication, and governance.
• Recommends configuration changes to improve the performance, usability, and value of cyber analysis tools.
• Assists with product studies, performs requirements analysis, and develops software architectures to meet requirements.
• Creates technical proposals and white papers, writes functional and design specifications.
• Measure compliance against standards.
• Identify security vulnerabilities in applications written in C , C#, and Java for modern versions of Linux and Windows via code reviews and reverse engineering.
• Identify weaknesses in various network protocols.
• Offer solutions to discovered vulnerabilities.
• Develop tools and scripts to aid in reverse engineering and vulnerability discovery.
• Suggest secure design techniques to management and customers to improve application security posture.
• Prepare reports on project progress and present results to the customer and management.
• Contribute to maturing process, policy, and standards guidance.
• Maintain current knowledge of relevant vulnerabilities and mitigation techniques.
• Research emerging technologies and maintain awareness of current security risks.
• Other duties as assigned.
• Bachelor's degree or 7 years relevant work experience.
• 3-5 years of experience (preferred) with security management of cloud based services (SaaS) in a fast-paced Agile environment.
• At least two certifications in Application Security or Pen testing (CSSLP, GSSP-x, CEH, GPEN, GWAPT, GMOB).
• Mid to expert level knowledge of AWS, Azure, and Google Cloud Platform.
• Hands-on experience with security management and issues surrounding virtual machines, containers, and applications.
• Strong knowledge of build systems, the microservices model, and continuous integration/deployment practices.
• Familiarity with cloud based security standards and frameworks.
• Knowledge of SDLC practices.
• Ability to perform comprehensive code reviews.
• Proficiency in C , Java, JavaScript, SQL, or exceptional at another similar coding and scripting languages.
• Working knowledge of Python 3 or other popular scripting language on the Linux platform.
• Strong knowledge of public key cryptography, web services SSO strategies, and CVSS scoring.
• Experience with modern development tools such as Visual Studio 2010 , GCC 4.8 , Git, or Jenkins.
• Understanding of one or more automated code auditing/vulnerability tools: Checkmarx, IBM AppScan, Veracode, WhiteHat, or Burp.
• Experience with automation and dev-ops technologies (such as puppet, chef, ansible, etc.)
• Experience with one or more modern RE tools: IDA Pro, WinDbg, Radare2, Ollydbg, Binary Ninja.
• Strong knowledge of open-source libraries/packages.
• Experience architecting, deploying and managing a suite of security management tools, including tools for: WAF, SIEM, log management, DDOS protection, Pen-testing , vulnerability management, automated code analysis, and anti-malware.
• Excellent oral and written communication skills.
• Awareness of security standards and frameworks relevant to the SaaS industry (e.g. ISO, NIST, CSA).

Physical and Other Requirements

• Function in a fast-paced, retail, office environment.
• Travel by car or airplane with overnight stays.
• Sit for extended periods of time.

Work extended hours, nights, weekends, and shift work.