Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: InfoSec Jobs InfoSec Jobs

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
APPLICATION SECURITY ENGINEER
Company COFENSE
Location United States
Preferred GIAC Certifications GPEN, GWAPT, GCPN, GDAT
Travel 0%
Salary Open for discussion
URL https://recruiting.ultipro.com/PHI1008PMINC/JobBoard/2bfae9ff-dc34-4867-b871-a579eae69b54/OpportunityDetail?opportunityId=5b077f49-70ca-4066-afc9-423867ad9402
Contact Name JP
Contact Email 100000/at/cofense.com
Expires 2021-03-02

Job Description

Description
Reporting to the Senior Director - Software Engineering, the Application Security Engineer III is responsible for assisting the Development, Production Engineering, and Security Operations teams with application-level security assessment and threat mitigation.

Essential Duties/Responsibilities

Actively participate in the development of software as a member of a Scrum team
Participate in the review of the merge requests from Development and Production Engineering teams to proactively address security concerns before changes are merged to master
Actively participate in our agile life-cycle, including planning, grooming, daily stand-ups and retrospectives.
Use static code analysis tools to harden the software.
Develop and evangelize secure programming standards
Perform security reviews of software designs, assisting others to ensure quality and robustness of our products.
Perform security focused design reviews considering elements such as: protocols, encryption, data storage, and business logic
Validate, address, and document responses to security findings from third-party penetration testing engagements
Other duties as assigned


Knowledge, Skills and Abilities Required

Passionate about application security and development
A self-starter who can identify work that needs to be done without waiting for direction
Comfortable mentoring engineers that are globally distributed.
Understand OS concepts such as scheduling, interrupt handling, virtualization of computing resources.
Able to demonstrate an understanding of JAVA programming skills and are comfortable learning new languages.
Comfortable working independently but able to escalate problems when necessary
Demonstrate strong oral and written communication skills
Willing to mentor and guide fellow team members kindly and constructively
Enjoy sharing knowledge via documentation
Happy to travel occasionally for team meetings and events
Able to write PoC code and documentation that clearly demonstrate vulnerabilities
Proficient with (or able to quickly learn) automation tools such as Selenium
Able to find solutions to challenging technical puzzles with atypical constraints
Able to effectively use git and understand common SCM workflows
Able to write code that is intentional and readable, rather than magically obscure
Enjoy tinkering
Ability to list and demonstrate examples of the OWASP Top 10 preferred
Familiarity with TDD/BDD preferred
Working knowledge of AWS or other cloud computing platforms preferred
Familiarity with proxies, firewalls, mail infrastructure, and other solutions commonly seen in large enterprises preferred


Education and/or Experience:

Bachelor’s degree preferred.
Previous professional, full-stack app-dev experience preferred
Have used static analysis security audit tools preferred
Experience using CI environments (Jenkins/Docker) preferred
Experience performing threat modeling
Experience with secure code quality practices and tooling to support quick engagements and rapid analysis - static analysis tools (Coverity, Checkmarx, or similar), dynamic scanning (Rapid 7, AppSider, or similar), Fuzzing (AFL, Peach, or similar) and code coverage (Bullseye, LDRA, etc.) preferred
Experience with security incident response activities
Experience penetration testing and the usage of web proxies for manual vulnerability assessment
Customer support experience (retail, help desk, consulting, etc.) preferred

Certifications - GIAC Penetration Tester (GPEN) with CyberLive / GIAC Web Application Penetration Tester (GWAPT) / GIAC Cloud Penetration Tester (GCPN) / GIAC Defending Advanced Threats (GDAT)