Application Security Engineer

2 days on site in Chicago

Technical Skills

• 5+ years of experience as a software engineer (in any language or framework)
• 5+ years of experience as a software development-focused cybersecurity professional
• 5+ years of experience working on a major cloud platform (AWS, Azure, GCP, or Salesforce) as a software engineer, cloud/DevOps engineer, security engineer, or architect.
• Experience analyzing and remediating security findings from automated and manual sources such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), penetration testing, Software Composition Analysis (SCA), etc.
• Experience leveraging one or more of the following resources to support secure coding and decision-making: OWASP Top 10, MITRE Common Weakness Enumeration (CWE) Top 25, OWASP Application Security Verification Standard (ASVS) and Other industry-standard best practice guides or frameworks
• Experience building or supporting web applications and API’s including Single Page Applications (SPA) and RESTful API’s.
• Proficiency in one or more programming languages.

Typical task breakdown:

• Analyzing, validating, communicating, and consulting on security defects identified by both automated and manual sources such as CodeQL, Rapid7 Web Application Security, penetration testing, bug bounty, etc. (The security engineers are partners to software engineers who require accurate information on why a vulnerability exists and what they can do about it.)
• Enabling and monitoring automated defect detection tooling (CodeQL, Rapid7, etc.) at the repository or application level according to established process.
• Collecting and communicating required scope and access information for penetration testing and security assurance assessments, as well as handling the output of these assessments via our Defect Management Process.
• Consulting with software engineers on practices which will improve their application’s security maturity according to scorecards and maturity models.
• Authoring, in close partnership with software engineers, correction of error reports which help engineers and architects across avoid similar mistakes in their own applications.