Application Security Engineer / Secure Code Analysis
Enforces application security in all phases of the software development life cycle. Works closely with team members to define application security best practices, performs software architecture and design reviews, and supports the identification, interpretation, and remediation of vulnerabilities across a variety of applications, programming languages, and platforms.
• Develops security procedures and methods to ensure the safety of information systems and to protect the system from intentional (unauthorized) or accidental (inadvertent) access or destruction.
• Engineers, implements and monitors security measures for the protection of computer systems, networks and information. Documents and implements Standard Operating Procedures (SOPs).
• Serves as a liaison between development teams and stakeholders to understand and formulate complex security requirements for project/program.
• Defines, maintains, and enforces application security best practices. Identifies opportunities for process improvements and leads efforts implement.
• Evaluate new technologies and processes that enhance security capabilities.
• Writes comprehensive reports including assessment-based findings, outcomes and propositions for further system security enhancement.
• Identifies additional application security related tools, conducts tool analysis, and provides recommendations on what tools will enhance security protocols.
• Performs and conducts penetration tests and manual/automated code reviews.
• Creates and delivers training developers and other relevant team members on Secure Code Development as well as other security protocols.
• Designs, develops or recommends integrated system solutions ensuring proprietary/confidential data and systems are protected
Bachelor’s Degree in Computer Science, Engineering, or other Engineering or Technical discipline or equivalent relevant experience. Master’s Degree preferred.
10-15 years of experience as an Application Security Developer, Application Security Analyst, or equivalent.
Other Job Specific Skills
• Desired experience with the some or all of the following technologies: Anchore, ASP.net/C#, Code review and analysis, Comfortable with Linux and Windows environments, Java, Microfocus Fortify, PortSwigger Burp Suite, Sonatype Nexus Auditor, Sonatype Nexus IQ
General experience supporting development teams
• Experience integrating security tools into CI/CD pipelines
• Experience with VA application security (SCA) process
• Experience conducting dynamic application security assessments
• Experience working with containers
• Expertise with application server technologies such as Spring Framework, Spring Security, Web Services, REST, and Hibernate.
• In-depth knowledge of and experience with security technologies, single-sign-on and identity management technologies.
• Expertise with web system security concepts, including authentication, authorization (RBAC), encryption/hashing, SAML, and LDAP.
• Advanced knowledge of web application vulnerabilities such as cross-site scripting (XSS), sessions hijacking, SQL injection, CSRF (Cross-Site Request Forgery), OWASP Top 10, and other attack vectors.
• Hands-on experience with encryption, hashing, secure random number generation, key derivation, digital signatures, etc.
• Advanced knowledge of network based, system level and application layer attacks and mitigation methods, and TCP/IP, HTTP/S, and related protocols.
• Experience with static code analysis tools including HP Fortify.
• Experience working with GIT source code management.
• Must have solid working experience and knowledge of Unix/Linux operating system.
• Experience with one or more of the following technologies: Vagrant, Chef, Rake, Gradle, Jenkins, and Cache DB.
• Understanding of Agile/Scrum methodologies is preferred.
• Experience with Axiomatics is preferred.
U.S. Citizenship Required? No
Light office duties
which may include sitting for prolonged periods of time, viewing digital
screens for prolonged periods of time, lifting up to 10 pounds, use of a desk
or mobile phone, typing on a keyboard, writing with a pen, pencil, or stylus, etc.
It is the policy
of ASM that an individual's race, color, religion, sex, disability, age, sexual
orientation or national origin are not and will not be considered in any
personnel or management decisions. We affirm our commitment to these
All recruiting, hiring, training, and
promoting for all job classifications is done without regard to race, color,
religion, sex, disability, or age. All decisions on employment are
made to abide by the principle of equal
The physical requirements described in
“Knowledge, Skills and Abilities” above are representative of those which must
be met by an employee to successfully perform the primary functions of this
job. (For example, “light office duties’ or “lifting up to 50 pounds”
or “some travel” required.) Reasonable accommodations may be made to
enable individuals with qualifying disabilities, who are otherwise qualified,
to perform the primary functions.
The preceding job
description has been designed to indicate the general nature and level of work
performed by employees within this classification. It is not designed
to contain or be interpreted as a comprehensive inventory of all duties,
responsibilities and qualifications required of employees assigned to this