Summary:
The role of an Application Security Engineer is integral to integrating security practices within our DevOps methodology, effectively bridging any gaps between IT and security while ensuring the swift and safe release of code. This role involves implementing security measures throughout the DevOps pipeline to protect applications and APIs, ensuring compliance with necessary security standards.
Key Responsibilities:
· Incorporate security measures into every stage of the DevOps pipeline to protect applications and APIs.
· Implement and maintain controls within the Continuous Integration/Continuous Deployment (CI/CD) pipeline to meet necessary security standards.
· Gain experience with SAST (Static Application Security Testing), SCA (Software Composition Analysis), DAST (Dynamic Application Security Testing), IaC (Infrastructure as Code) security, Container security, integrating security in IDEs (Integrated Development Environments), and API security.
· Regular usage of automated tools for routine security checks.
· Facilitate collaboration among development, operations, and security teams.
· Develop policies that align with regulations, alongside conducting comprehensive assessments of application/API security.
· Educate teams about secure application/API usage, keeping up-to-date with cybersecurity trends, ensuring adherence to secure design principles across all Software Development Life Cycle (SDLC) phases, managing incident response protocols, and providing training on secure coding best practices.
· Utilize automation tools to identify potential vulnerabilities before they escalate into threats.
· Evaluate third-party services for potential weaknesses in their security posture.
Additional duties include ensuring that vulnerabilities are remediated before code moves to production and providing guidance on the remediation process for application/API security vulnerabilities. This role also requires collaboration with Information Security Officers (ISOs), DevOps teams, Application Development teams, Vendor Partners, and Cyber Engineering teams. The position ensures compliance with industry-specific regulations such as GDPR or HIPAA.
EXPERIENCE AND EDUCATIONAL REQUIREMENTS:
· Bachelor’s degree in IT, Cybersecurity, or a related field, or equivalent work experience.
· 8+ years CI/CD Pipelines, Jenkins, Controls, Regulations
· Security certifications such as CISSP (Certified Information Systems Security Professional), OSCP (Offensive Security Certified Professional), or CEH (Certified Ethical Hacker) would be advantageous.
· Minimum 5 years of experience in a similar role within a large, geographically dispersed environment.
· Strong understanding of information security principles.
· Excellent communication skills: able to explain complex concepts clearly to both technical and non-technical stakeholders.
· Understanding of industry-standard regulations, risk management, and security controls frameworks and standards (e.g., ISO, PCI, NIST, GAPP, HIPAA, GDPR, CIS, SANS, OWASP Top 10, MITRE ATT&CK, etc.).
Skills Desired:
· Understanding of risk assessment methodologies.
· Experience with various vulnerability assessment tools (e.g., Checkmarx, Microsoft Defender).
· Strong interpersonal skills: ability to work collaboratively within a team.
· Reporting and metrics expertise with platforms such as ServiceNow (SecOps), PowerBI, etc.
Working Hours: The candidate must work during US morning business hours, up to 11 AM CST, to provide support to our Business, IT, DevOps, and Application Development global teams. Accordingly, the candidate's working day in India will be from 1:30 PM IST until 9:30 PM IST.
Any Graduate