Job Title: Senior Application Security Engineer

Labor Category: Specialist 3

Location: New York NY

Job Type: Contract

Work schedule: Normal business hours Monday-Friday 9-5, 35 hours/week (not including mandatory unpaid meal break after 6 hours of work).

Duration: 1 Years

Pay Rate: $90 - $100 per hour

SCOPE OF SERVICES:

The NYC IT Project Management Office specializes in developing multiple large scale, workflow software applications that improve the efficiency and efficacy of the NYC business teams that perform operations such as permitting, inspections, roadway repair, bridge maintenance and street sign management. Some examples of projects that the IT PMO has recently initiated are: an application that allows restaurants to apply for the new outdoor dining license program, and allows staff to review, approve, and deny the outdoor dining license requests; an application that allows the roadway repair team to track the bike lane installation and resurfacing work they do; an application to track the work required to perform installation of pavement markings, and renewal of pavement markings that are fading; a workflow and asset management system used to manage the installation and replacement. and to document the current and historical inventory of signs by location; and a workflow system that is used to manage the preventative and unplanned infrastructure maintenance. The selected Project Manager will assist the IT PMO with implementing projects similar to the applications previously mentioned above.

TASKS:

? Perform comprehensive cybersecurity risk analysis, identifying and prioritizing risks specifically related to application security.

? Develop, socialize, and implement security strategies to address vulnerabilities in web applications, microservices, APIs, and mobile applications.

? Track and manage progress against security plans, ensuring timely remediation of identified vulnerabilities.

? Lead the security implementation in application development projects, ensuring "secure by design" practices.

? Create and maintain architecture diagrams, outlining secure communication flows, and develop both high-level and low-level security design documents.

? Troubleshoot and resolve application security issues in collaboration with internal teams and external vendors.

? Translate application compliance requirements into specific security controls, recommending compensating measures where appropriate.

? Regularly report on the organization’s security posture, with a focus on application vulnerabilities, to senior management.

? Perform/coordinate application vulnerability assessments and ensure timely remediation in collaboration with the Development, IT, and Systems teams.

? Implement secure coding practices, perform static and dynamic application security testing (SAST/DAST), and support developers with secure code reviews.

? Monitor security incidents and respond to application-level threats, ensuring quick resolution of potential vulnerabilities.

? Establish and enforce secure configurations for applications and their underlying infrastructure, such as databases and APIs.

? Perform threat simulations to detect risks and recommend improvements for securing application designs, API security, identity management, and access control measures.

? Collaborate with teams to ensure continuous integration and continuous deployment (CI/CD) pipelines incorporate security controls.

MANDATORY SKILLS/EXPERIENCE: Note: candidates who do not have the mandatory skills will not be considered.

• 12 years of experience in application security, with a proven track record of conducting vulnerability assessments, penetration testing, and secure code reviews.
• Extensive experience in secure application development, including knowledge of security frameworks like OWASP Top 10, and the ability to guide development teams in implementing secure coding practices.
• Proficiency in Software Composition Analysis (SCA) tools (e.g., Veracode, AppSec) for identifying and managing vulnerabilities in open-source libraries and third-party components.
• Advanced knowledge of static and dynamic application security testing (SAST/DAST) tools (e.g., Veracode, AppSec, Burp Suite) and integrating these tools into CI/CD pipelines for automated security checks.
• Strong cloud security expertise, including securing applications and workloads on AWS, Azure, or GCP, and experience with Web Application Firewalls (WAF) and cloud-native security services.

Preferred Skills/Experience for Consultant Candidates:

• Advanced cloud security experience: Experience securing cloud environments (AWS, Azure, GCP) with tools like Web Application Firewalls (WAF), and implementing IAM, encryption, and monitoring tools.
• Experience with scripting and automation, using Python, Bash, or PowerShell, to automate security tasks, integrate security testing tools, and improve the efficiency of security operations.
• Strong communication skills: Ability to effectively explain complex security concepts and risks to both technical teams and non-technical stakeholders, ensuring alignment on security measures.
• Leadership and mentoring skills: Experience leading security teams or initiatives, mentoring junior engineers, and fostering a culture of security awareness within the organization.
• Collaboration and cross-functional teamwork: Proven ability to work effectively with development, DevOps, and IT teams to integrate security into all aspects of the business, ensuring security goals align with business objectives.
• Highly flexible/willing to learn new technologies.
• Highly organized with excellent analytical, problem solving and decision-making skills.

Additional Qualifications:

• Certifications such as Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Cloud Security Professional (CCSP), or GIAC Web Application Penetration Tester (GWAPT) are highly preferred.
• Knowledge of compliance standards like NIST, PCI-DSS, and GDPR and how they apply to application security.