JOB DESCRIPTION:
Application Security Engineers work closely with cross-functional teams to ensure that Cellulant’s products are secure. As an application security engineer, you will be required to define security controls and design requirements during the product development and software build stage of the software lifecycle. You will also be required to lead the review of these controls into the software before deployment into production systems.
In this position, you are a passionate and talented application security engineer with a very deep understanding of out-of-the-box business logic vulnerabilities, OWASP, CWE 25, API Security, Mobile App Security, Data Protection, and best practices design and threat modeling skills who can work in a dynamic environment. You must be agile to produce secure code in short time frames and be willing to go beyond the standard routine.
CORE RESPONSIBILITIES:
The role holder would be responsible for the following:
- Identifying new or evolving business logic issues in a range of applications and creating complementary remediation plans
- Performing security-focused code reviews including for static, dynamic and runtime issue
- Supporting and consulting with product, development and operations teams in area of application security, including threat modeling
- Assisting engineering teams in reproducing, triaging, and addressing application security vulnerabilities.
- Assisting in the development of security processes and automated tooling that prevent classes of security issues.
- Leading both critical and regular security releases.
- Leading the development of automated security testing to validate that secure coding best practices are being used.
- Guiding and advising product development teams as a SME in the area of application security.
- Developing secure application development training and socializing the material with internal product and engineering teams.
- Participating and assisting in initiatives to holistically improve the quality and security across our product spectrum
QUALIFICATIONS & EXPERIENCE:
Qualification:
- More than 5 Years of Experience in Application Security, SSDLC and Threat Modeling with an MS/BS degree in Information System Management / Computer Science / Information Security or a related technical discipline with at least 3 years of Software Development experience
- MUST have a deep understanding of OWASP Top 10 (Web, Mobile and API) and CWE 25; with a proven track record and experience in implementing and strategies
- MUST be able to identify out-of-the-box business logic vulnerabilities/issues and swiftly design remediation strategies
- Well-versed in application design, penetration testing, application risk assessment and risk categorization
- Above average understanding of Open APIs and the best practices for securing them
- Experience in managing application security testing tools like SAST, DAST, RASP and Open Source Vulnerability Scanning
- Solid problem-solving and analytical skills; able to quickly digest any issue/problem encountered and recommend an appropriate solution.
- Able to work well with cross-functional teams.
- Experience identifying security issues through code reviews.
- Excellent and professional communication skills (written and verbal) with an ability to articulate complex topics in a clear and concise manner.
- Familiarity with common security libraries and tools (e.g. static analysis tools, proxying / penetration testing tools).
- Familiarity and ability to explain common security flaws and ways to address them (e.g. OWASP Top 10 and business logic vulnerabilities).
- Good development or scripting experience and skills. Java, SpringBoot, JavaScript, and/or python are preferred.
- A basic understanding of network and web-related protocols (such as TCP/IP, UDP, HTTP, HTTPS, protocols).
- CI/CD (Continuous Integration – Continuous Development) – Circle CI, Jenkins, GitHub
- Must be a self-starter, able to work under pressure and with limited supervision both individually and with other team members
- Must be able to put together basic reports for all security tests conducted
Must have experience:
- Must be a self-starter, able to work under pressure and with limited supervision both individually and with other team members
- Must be able to put together basic reports for all security tests conducted
- MUST have a deep understanding of OWASP Top 10 (Web, Mobile and API) and CWE 25; with a proven track record and experience in implementing and integrating remediation strategies
- MUST be able to identify out-of-the-box business logic vulnerabilities/issues and swiftly design remediation strategies
Nice to-have experience:
- Experience working in Agile teams
- Experience in Linux operating systems
- Excellent organization and time management skills and ability to work independently with minimal supervision
- Must be able to work in a fast-paced environment and manage priorities and multi-task
Skills:
- Exceptional storytelling skills.
- Creative problem-solving & project management skills
- The ability to connect the dots between mediums and disciplines (and people)
- Top-notch communication skills, including the ability to present ideas compellingly both internally and externally
- Excellent organisation and time management skills
- A deep understanding of brand development as well as both traditional and digital marketing
- Attentiveness, empathy, and the eagerness to constantly learn new things
- Strong aesthetic skills with the ability to combine various colours, fonts and layouts
- Ability to work effectively with colleagues at all levels.
- You are creative, innovative, and always think outside the box
- Ability to multitask and work in a fast-paced environment
- Excellent cross-organization collaboration skills.
