As an Application Security Engineer you will be driving the design and implementation of the company’s application security technical controls framework. You will be part of the organisation’s centralised information security team, and will report to the IT Security Team Lead in the Engineering and Operations team. Your main responsibilities will revolve around recommending and implementing technical controls and solutions to mitigate risks identified throughout the organisation’s development life-cycle. Further, you will be responsible for driving application vulnerability management processes and controls within the organisation. Your main focus will be application and product security, with a mix of responsibilities assisting the team in infrastructure security.
What you’ll be doing
You will be a key advisor within the team and organisation for matters related to Application Security with a strong focus on securing GiG’s products, information and people. Primary activities will include the following.
- Owning application security testing tools (i.e. SAST, DAST) to maintain application security baseline;
- Coordinating and performing application security pentests, tying automated tools with manual exploitation of the industry’s latest application security vulnerabilities;
- Gaining deep knowledge of our applications, products, tech stack and development processes and to be a partner to our development teams;
- Drive the adoption of container security including:
- The security of our Kubernetes/OpenShift clusters, access control, security operators (i.e. Vault) and more;
- Drive container security initiatives including container scanning and base container image hardening (e.g. distroless, seccomp, AppArmor);
- Design application security related product features across our product ecosystem (e.g. Risk-based Authentication, Audit logging as a feature) to enhance the value and security of our products.
- Performing vulnerability assessments driven through automation against products and applications;
- Perform secure code validations (i.e. PR reviews) to ensure that certain changes remediate a vulnerability or avoid introducing new ones;
- Aligning all products and teams through the company’s vulnerability management procedure.
Security monitoring & Incident management
- Identify and propose monitoring enhancements of the core platform, partnering with Infrastructure, DevOps and our InfoSec and SOC teams;
- Research, design and develop methods of applying automated controls against known and common security attack patterns;
- Actively assist in security incidents, coordinating with the various teams to ensure that impact and duration is minimised.
- Research and apply methodologies that will further intelligently enhance security events and monitors coming from various sources
Who you are
- Minimum of 1 – 2 years of experience with a background in IT security engineering; Secure Development and/or Security Operations
- Able to effectively communicate with all levels of management and all stakeholders
- Ability to wear many hats (developer, engineer, troubleshooter, support, tester, inventor)
- Strong understanding of Incident Management and Agile Software Development processes
- Knowledge of one of the following: ISO27000-family, NIST Cyber-security framework, ITIL, COBIT, PCI and privacy laws in Europe
- Ability to demonstrate and communicate how vulnerabilities can be exploited, including chaining different vulnerabilities to demonstrate advanced attack scenarios comprehensively
- Have an understanding of web application security weaknesses, including OWASP TOP 10 2021
- Strong coding skills including knowledge of Python 3 is considered a plus
- Practical knowledge of various aspects of service design, including messaging protocols & behavior, caching strategies and software design practices
- Experience in OpenShift, NoSQL (e.g. Cassandra), Postgres & Kubernetes is considered a plus
- Knowledge on .NET core security including the Orleans framework, OWASP, RabbitMQ/Kafka relevant security controls
- Demonstrate deep analytical and problem-solving skills across breadth of technologies
- Solid knowledge of Container Security including, container image security, IAM, DevOps CI/CD lifecycle and its relevant security controls, Secret stores (i.e. Vault) and surrounding security policies.