Job Description
The InfoSec team is responsible for finding and solving the biggest security risks facing our applications and infrastructure. As an engineering team ourselves, we do this by building paved roads and guardrails. We believe that the secure option should also be the easiest option for our users. We’re looking for a strong Engineer with a deep understanding of securing applications in a Cloud-native world to help us execute this vision.
YOU WILL:
- Develop automated security testing for centralized security libraries which scale directly with developer needs and enable them to write secure code more easily.
- Have significant ownership in and evangelize security training with development teams.
- Drive initiatives which scale application security and holistically address application vulnerabilities.
- Be able to review code in context and defend findings.
- Support and consult with product and development teams in application security, including threat modeling and AppSec reviews.
- Assist teams in reproducing, triaging, and remediating application security vulnerabilities.
- Assist in development of security processes and automated tooling that prevent classes of security issues.
- With a focus on AWS, build the application specific security components of the next phase of ATPCOs Cloud infrastructure, shaping secure application development for years to come.
- Build automation to help us discover, measure, and contextualize application security issues.
- Partner with platform teams to deliver solutions that permanently solve entire categories of security risk.
- Participate in varied penetration testing and vulnerability assessments of applications, operating systems and/or networks.
REQUIREMENTS:
- Able to work collaboratively with and advocate for software development teams.
- Experience with product management tools and practices, can interface directly with product teams to assign work/influence backlog for security needs.
- Experience identifying security issues through code review.
- Excellent and professional communication skills (written and verbal) with an ability to articulate complex topics in a clear and concise manner.
- Familiarity with some common security libraries and tools (e.g. static analysis tools, proxying / penetration testing tools).
- Knowledge of Secure SDLC and Security standards like OWASP, CWE, NIST, OSSTMM 5 Penetration Testing Methodology
- Familiarity and ability to explain common security flaws and ways to address them (e.g. OWASP Top 10).
- Development or scripting experience and skills. JSON, Python, YAML, CloudFormation, Terraform, PowerShell, etc. are preferred.
- A strong understanding of network and web related protocols (such as TCP/IP, UDP, HTTP, HTTPS, protocols)
- Has strong analytical, technical, and organizational skills to include strong attention to detail.
- Prior application security experience in a distributed, multi-Cloud hybrid environment with a focus on AWS.
- Knowledge of application penetration testing, threat modeling, and security architecture reviews
- Experience integrating security into the development pipeline, with hands-on experience with Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), Runtime Application Self-Protection (RASP), and software composition analysis solutions.
- Experience with configuration of cloud and platform technologies (AWS, Kubernetes, Dockers, Linux, Windows)
- Establishes, maintains, and reports upon metrics regarding overall application security posture.
- Excellent technical documentation skills.