Address
Form of workJob Description
***Hybrid, 3 days onsite, 2 days remote***
***We are unable to sponsor as this is a permanent full-time role***
A prestigious company is looking for an Associate Principal, Application Security. This person will help lead secure development initiatives, will do manual code reviews, do penetration testing and use pen testing tools like Burp Suite, Kali Linux, etc. Also needed is AWS cloud security experience, CICD pipeline security, etc.
Responsibilities:
- Application Security Testing – The use and maintenance of cloud and self-managed security scanning tools, manual source code reviews, and manual penetration assessments.
- Vulnerability Management – The cataloging, reviewing for false positives and mitigations, threat and risk assessments, and lifecycle management through remediation according to SLAs of application vulnerabilities.
- Release Management – Ongoing reviews of application releases to ensure only secure and reviewed code is pushed to prod, with automation tasks as necessary.
- CI/CD pipeline – Develop scripts to integrate Security tools into the Jenkins pipeline and assist development teams with interpreting results from pipeline vulnerability verification reports to facilitate vulnerability remediation.
Qualifications:
- Degree in Cyber Security, Engineering, Mathematics, Computer Science, or a combination of education and relevant experience.
- Training or experience in Web App or Network pentesting
- Training in cloud (ex., AWS Cloud Practitioner or Certified Cloud Security Professional)
- 5+ years experience working with Secure DevOps or a development pipeline and release management
- General knowledge of scripting languages (Python, etc.)
- Experience performing Application Security manual penetration tests and familiarity with pentesting tools (e.g., Burp Suite, Kali Linux, Postman)
- Knowledge of security architecture design and principles including confidentiality, integrity, and availability.
- Experience with using or reviewing output of automated code scanning tools and development pipeline tools
- Understanding of security concepts and practices, including those for authentication, authorization, access control and auditing as well as best practices (e.g. OWASP).
- Familiarity with application frameworks and their built-in security services and API’s (i.e., Sun J2EE, MS .NET, OMG CORBA, Spring, etc.)
- Familiarity with application authentication and authorization systems (i.e., CA SiteMinder, RSA SecurID/ACE, NS Active Directory and LDAP)
- General knowledge of cryptography (symmetric and asymmetric encryption, digital signatures, message digests, certificates, PKI, SSL/TLS, etc.)
- Professional network and/or security certifications a plus (i.e., GIAC, CISSP, CISA, CISM, CRISC)
- Cloud security/automation certifications a plus (i.e. GCSA, AWS Cloud Practitioner or beyond)
- Penetration testing certifications a plus (i.e. OSCP, GWAPT, Burp Suite Certified Practitioner)
