Application Security Engineer - Information Security (Flexible/Remote) - Full-time / Part-time

Performs security application source code reviews, application vulnerability testing and application threat assessments. Leverages advanced tools, methods and approaches to demonstrate weaknesses in applications. Responsible for assuring developers and technical personnel address application security issues in a timely fashion. Will routinely collaborate with different security team members including, but not limited to: architecture, infrastructure, network, compliance and incident response. 

CANDIDATE PROFILE

Education and Experience

• Bachelor’s degree in Computer Science or related field or equivalent experience/certification
• 3+ years working as a frontend or backend software developer
• Has written, tested and deployed at least one revenue generating web application
• Has worked as a developer on a team consisting of 5 or more software developers
• Expert level knowledge of at least one compiled programming language
• Expert level knowledge of at least one interpreted programming language
• Ability to write a software specification
• Knows how to perform an application stress test
• Ability to conduct independent research
• Strong understanding of HTML, HTTP, JSON, and XML
• Ability to fluently write, read, debug and test applications written in Java and JavaScript
• Understanding of web service implementation paradigms (REST, SOAP)
• Familiar with OWASP and the common flagship projects
• Basic understanding of Cryptography concepts: hashing, signing, symmetric/asymmetric encryption and decryption
• Basic understanding of network security concepts: DOS, DNS Spoofing, ARP Poisoning, Reverse Shells, Firewalls,
• Basic understanding of defensive programming and test-driven development 
• Knows how to perform common application exploits: XSS, SQL Injection, UI Redressing, Directory Browsing, Log Forging 
• Basic understanding microservice application architecture, software cohesion and software coupling
• Willing to write tools as necessary to perform day to day duties.
• Comfortable learning new programming languages as needed to conduct code reviews

• Current information security and/or software development certification, including Certified Secure Lifecycle Professional (CSSLP), Professional Software Engineering Master (PSEM), Certified Software Development Professional (CSDP), GIAC Secure Software Programmer (GSSP)
• Expert level knowledge static analysis tools and methods
• Expert level knowledge of dynamic analysis tools and methods
• Advanced knowledge software engineering concepts: GOF software design patterns, SOLID design principles (SRP, OSP, LSP, ISP, and DIP) and design methods (Scrum, XP, Lean, Waterfall)
• Strong understanding of, SAML, OAuth and OIDC
• Strong understanding of common cryptographic algorithms and libraries
• Experience with mobile application development on Android or iOS
• 2+ years working as full stack software developer
• 1+ years working in a software QA role.
• Comfortable with the following tools and technologies: Git, ZAP or BurpSuite, Postman, SoapUI, Jenkins, Artifactory, SonarQube, FindBugs, Docker, JIRA, Confluence,

• Evaluates applications for security flaws by performing fuzzing, access/authorization bypass, business logic abuse and intentional fault injection.
• Uses Static and Dynamic Analysis tools to support broad testing and vulnerability discovery.
• Reviews application architectures and implementation details for design flaws, incorrect security implementation and missing security controls.
• Works with other security team members to research and test for complex security issues.
• Consults with Software Engineers, Infrastructure Architects and Security Architects to correct application, architectural or environment flaws.
• Validates external security researcher bug bounty submissions.
• Works closely with service providers and external security support resources to schedule, track and manage outsourced security testing efforts.
• Creates and/or maintains threat models to communicate risks to engineers, project managers and other technical personnel.
• Ensures applications are built according to enterprise security standards.

• Works with development teams to review application source code for security and operational risks.
• Perform manual code reviews of applications that are not compatible with automated SAST tools.
• Provide detailed security documentation to developers, software engineers and technical personnel when necessary
• Provide guidance and recommendation to software architects and engineers on how to correct code related security flaws

• Participate in peer reviews of security assessments created by other team members.
• Manage tickets and SLA’s associated with security testing efforts.
• Maintain the enterprise SSDLC standard.

MANAGEMENT COMPETENCIES