Senior Application & DevOps Security Engineer

JOB SUMMARY: 

As a Senior Application Security Engineer, you will be working in a team that owns the design, development, and operations of application security controls for mission-critical applications of the payments business. We are looking for an experienced application security engineer who has a strong background in partnering with Engineering teams to develop and implement security best practices. 

We are looking for someone who is very hands-on and enjoys working with other engineers in a fast-paced environment.

CORE RESPONSIBILITIES:

• Manage security integration into the SDLC process.
• Lead  our application security reviews and threat modeling, including code review and dynamic testing.
• Perform hands-on security testing of our products and services to discover risks and help guide them to resolution.
• Scale application security by developing automated security testing capabilities.
• Enrich application security standards and socialize the material with our engineering teams.
• Guide and advise engineering teams in the area of application security.
• Research, develop, test and implement security quality gates for the CI/CD pipelines.
• Integrate vulnerability scanning and security testing into the CI/CD pipeline to detect and address security issues early in the development process
• Develop and maintain security tools, scripts, and automation frameworks to enhance the efficiency and effectiveness of security processes.
• Monitor and respond to security incidents and provide guidance and support during security-related incidents or breaches.
• Participate in security audits and assessments, and contribute to the development and implementation of security policies and procedures
• Assist in defining and documenting security requirements for new products and initiatives.
• Support and evolve the bug bounty program. Improve our program efficiency.

QUALIFICATIONS & EXPERIENCE:

Must Have Experience: 

• Experience ensuring security and privacy on the internet
• Experience with an interpreted programming language (Java spring boot, angular, php, Javascript, etc)
• Experience with application security testing techniques, tools, and methodologies
• Strong knowledge of web application, API and mobile application security principles, including common web application vulnerabilities,, secure session management, authentication and authorization mechanisms, and secure communication protocols
• Application security penetration testing and reporting
• In-depth knowledge of common web application vulnerabilities (OWASP Top Ten, CWE/SANS 25, PCI DSS, OAS etc.) etc
• In-depth knowledge of secure coding standards and security practices.
• Knowledge of securing containerized applications

Experience that will count in your favor:

• Experience with container orchestration security
• Experience with API security monitoring, automated response and overall management
• Experience architecting and securing against common API security risks.
• Experience with containerized application security is a plus
• Familiarity with cloud security deployment and implementation (AWS).
• Experience in secrets management
• Experience in cryptography certificate and key management

Nice To Have Experience:

• Exposure to SAST and DAST Security testing
• Exposure to Threat Modeling
• Exposure to software composition analysis
• Exposure to Kali Linux and associated toolkits - like Burp Suite

Qualifications:

• 5-7 years of relevant experience, demonstrating a strong understanding of application security principles, practices, and technologies..
• Bachelor's degree in Information Technology, Software Engineering, Computer Science or related field
• Relevant certifications such as Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), or Certified Secure Software Lifecycle Professional (CSSLP), AWS Certified Solutions Architect - Associate or AWS Certified DevOps Engineer - Professional (DevSecOps Engineer) are a plus

Skills:

• Proficiency in multiple programming languages (such as Java, C#, Python, or JavaScript) 
• Ability to identify and remediate security vulnerabilities in code are essential. Familiarity with popular frameworks and libraries and understanding their security implications is important.
• Mobile (iOS/Android) application security experience is a plus.
• Excellent interpersonal skills and ability to work well with all levels of engineers and other disciplines.
• Strong communication and collaboration skills are essential as the role often works closely with development teams, architects, operations teams, and other stakeholders. The ability to effectively communicate security concepts, findings, and recommendations to both technical and non-technical audiences is important
• Documentation and report writing
• Proficient, autonomous, and rigorous behavior.
• Bonus Points: You’ve mentored teammates on new ways to deepen their technical craft

Personal attributes:

• Always open to learning new things and like to share this passion with those around you.
• Openness to upskilling
• Continuous Learning: The field of application security is constantly evolving, and a willingness to stay updated with the latest security trends, technologies, and attack vectors is crucial. 
• Participation in security communities, attending conferences, and continuous professional development are valuable.
• Leadership and Mentoring: Ability to lead and mentor junior team members, provide guidance and support, and promote a culture of security awareness and knowledge sharing within the organization.