Application & Web Security Specialist

THE OPPORTUNITY

The Application and Web Security Specialist will be responsible for serving as a security consultant for Web and Application Developers. You will work with developers on identifying security risks within their applications and validate remediation. This role offers the opportunity to build solid relationships throughout the enterprise, with developers and vendors while learning about the vast amount of technologies employed within our organization. There are other opportunities to serve included with this role that relate to other Security disciplines such as Penetration Testing, Vulnerability Management, and Event Correlation.

THE TEAM

The Information Security Team is responsible for the confidentiality of customer and employee information, ensuring the data stored and shared maintains integrity, all while making sure that all of this does not impact the availability of the entire Dillard's enterprise.

This team is expected to be high-performing. To meet this expectation, the team members are communicative and collaborative, always sharing knowledge and research with one another. Members of this team should be able to understand what is expected of them and adjust on the fly, as priorities may change depending on the company's needs. If you are someone who sets a standard of excellence for yourself and you enjoy working alongside others who set the same standard and who genuinely want each of their peers to succeed, you may be the perfect addition to this team.

WHAT YOU WILL DO

• Inspect and assess current solutions for Web and Application Security risks.
• Identify security flaws in application code and web configurations, and suggest and oversee remediation.
• Collaborate to create effective SIEM rules and other tools' alerts to notify staff of application and web threats and correlate across environments.
• Participate in the vulnerability practice of scanning code across technology stacks and languages.
• Validate risks and vulnerabilities while rating criticality and urgency.
• Conduct penetration tests on code and web environments after every significant modification.
• Ensure security controls are in compliance with applicable laws, regulations, and policies to minimize risk and audit findings.
• Train others in IT on application security concepts and educate developers on risk-based coding, including the OWASP best practices.
• Identify areas where IT processes need to be established or improved.
• Participate in on-call rotation across the Information Security group.

THE SKILLSET

• Knowledge of web architectures (WebSphere, Apache, IIS/IHS, CDN, NFS mounts, ESB, Jenkins, OCP) and application languages (.NET, Groovy, Java, PHP, BASH, Python, AJAX, Ruby on Rails, REST, XML, SOA, HTML, XML, COBOL), and code repositories (GIT, CVS, etc.).
• Understanding of security threats and solutions for applications.
• Experience analyzing risk in accordance with regulations, including PCI, HIPAA, and Sarbanes-Oxley and state privacy laws.
• Experience creating processes, procedures, and solutions that reduce technical risk and increase operational efficiency.
• Ability to work independently and in teams while meeting multiple deadlines.
• Strong interpersonal and communication skills with proven decision-making skills.
• Desire to troubleshoot and lead investigations.
• History of and commitment to ethical behavior and ethical full disclosure.
• Background in the following areas: cyber security, intrusion detection/prevention, OS architecture, malicious network traffic identification, malicious code detection/prevention, security auditing, security architecture, security awareness education, databases, identity management, PKI, encryption methods/standards, event correlation, authentication services, incident handling, and forensics.

WITHIN 1 MONTH, YOU'LL

• Meet with the various disciplines within the team to understand their roles
• Have a familiarity with the various security tools that are used daily
• Begin understanding Dillard's infrastructure and meet with infrastructure teams

WITHIN 2 MONTHS, YOU'LL

• Understand your daily tasks
• Begin taking ownership of more advanced tasks

WITHIN 3 MONTHS, YOU'LL

• Be prepared to serve in the on-call rotation
• Communicate security gaps found and provide potential solutions for said gaps