Product Application Security Engineer
Reporting directly to the Product Dev / Engineering Manager, the Application Security Engineer will play a key role in securing all software built and/or used by SEW. The engineer will work with application development teams as well as 3rd party organizations to ensure that security, privacy, and compliance constraints are built into the applications. In addition to securing applications the engineer will be expected to help develop tools and scripts to enhance the security processes and systems at SEW. The individual should exhibit the following: strong interpersonal skills, be highly motivated, results oriented, have excellent communication and presentation skills, and be a strong team player.
- Experience designing and executing web application security evaluations, solo and as part of a team
- Application security testing techniques, using automated tools and manual testing
- Research threats and attack vectors that impact web applications and infrastructure.
- Assess new and existing applications and system deployments for vulnerabilities and design flaws and prioritize remediation efforts based on risk.
- Hands on experience with one or more tools like Veracode, BurpSuite, Kali, BeEF, Fuzzers, Metasploit, HP Fortify, YASCA. AppScan, AppDetective, NesSEW is desired.
- Ability to document and explain risks and vulnerabilities to technical stakeholders
- Perform manual and automated application vulnerability assessments and document vulnerabilities which were found and provide recommendations for remediation
- Perform manual code reviews on systems to identify vulnerabilities as a complement to automated vulnerability assessments
- Provide security recommendations as a subject matter expert for development teams during all phases of development
- Develop tools and scripts to enhance and automate Verisign’s security systems and processes
- Validate vulnerability resolutions and ensure they are deployed to production in a timely manner
- Track open issues and follow up to ensure remediation
- Participate in the change management process ensuring that all releases are reviewed by security before being approved for production
- Provide guidance to application groups on application security best practices
- Enhance and deliver application security training to Verisign engineers
- Develop automated security tests that can be integrated into a product’s automated test suites
- Awareness of security-related best programming practices for J2EE and .NET
- Discovery of application security weaknesses, and writing recommendations for preventing or fixing them
- Experience using scan/ attack/ assessment tools and techniques, including proficiency in at least one common framework such as OWASP, Metasploit.
- 5 + years industry experience in product / application security
- One or more certifications like CISSP, CEH, Security +, OSCP desired
- 4+ years of hands-on application security assessment experience
- Min 2+ years of Application development experience related to security
- Experience developing API based applications to integrate disparate systems
- Experience using Burp Suite to perform security assessments (with a focus on manual testing)
- Knowledge of the OWASP Testing Framework and OWASP Top 10
- Experience in implementing security assessments within a continuous integration pipeline highly preferred
- Methodical and organized; able to manage multiple opportunities, projects, and partners concurrently
- Able to multi-task and work independently with minimum supervision to meet firm deadlines
- Performs other special projects or duties as assigned
- Code review skills are a definite plus
- Understanding of Agile methodologies (Kanban, Scrum, pair programming etc.)
- Ability to discover and exploit OWASP/ SANS application vulnerabilities
- Experience with System and Application Vulnerability assessment/ Penetration testing experience is desired.