- Participate in Agile planning with development teams to ensure secure coding is baked into development process rather than bolted on after the fact.
- Participate in the development of threat models for new products and the maintenance of threat models for ongoing products
- Participate in the evaluation of new application security tools (e.g. code scanners and web application firewalls (WAFs))
Application Security Engineer - Hyderabad, India - Vertafore
Description
JOB DESCRIPTION
As a mid-level Application Security Engineer, you will be responsible for evaluation of all aspects of the software system design lifecycle. You will be expected to understand the principles of secure software design, be fluent enough in high-level modern programming languages to be able to read code and identify deficiencies in that code, be able to communicate with development teams the issues that exist and how to resolve them, be familiar with the Agile planning process and associated tools, be familiar with common CI/CD platforms and software security engines, and have a high-level understanding of operating systems and cloud environments.
Core Requirements and Responsibilities:
Essential job functions include but are not limited to the following:
· Partner with development teams to configure and perform static, dynamic, and software composition analysis scans using commercial software scanning products such as Fortify, Veracode, Checkmarx, or similar tools.
· Understand and configure Applications in CI/CD platform for integration with Scanning tools.
· Troubleshoot security scans and work with development teams to configure scans for different OS platform including but not limited to Windows, Linux.
· Review results from automatic code scanning, validating reported false positive results and providing guidance to development teams on how to resolve the true positive results.
Knowledge, Skills and Abilities:
· Excellent communication skills--able speak about security concerns with both technical and non-technical audiences.
· Proficient in being able to read a wide variety of programming languages, but especially Java, JavaScript, C, C++, and C#.
· Familiar with PowerShell and Linux command line.
· Familiarization with Amazon Web Services equivalent to the knowledge required for the AWS Certified Cloud Practitioner certification
· Proficient in Git, GitLab, and at least one commercial software scanning solution
· Knowledgeable of the Agile planning process and commercially available tools used to enable the Agile planning process (e.g. Jira, Rally, Confluence)
· Familiar with ServiceNow
· Knowledgeable on Threat Modeling
· Knowledgeable on the OWASP Top 10 vulnerabilities (2021 Edition) and how to resolve or mitigate them
· Knowledgeable of the NVD, CVEs, and CVSS 3.0 scores
· Knowledge of best practices in Incident Response for software applications
· Familiarity with APIs, common API vulnerabilities, and how to secure them
· Able to work with a minimum of supervision
Qualifications:
· Bachelor's degree in Information Security, Computer Science, or equivalent combination of education and working information security experience required.
· Minimum 5 - 8 years of Information Technology or minimum 3 - 7 years of Information Security
· Minimum 3 years of writing or evaluating programming code in at least one of the following languages: Java, JavaScript, C++, C#, or Python
· Certifications such as Security+, SSCP, or CISSP preferred but not required.
Additional Requirements and Details:
· Travel required up to 10% of the time.
· Located and working from the Hyderabad office.
· Able to work at least a portion of the day when US offices are open.
· Occasional lifting and/or moving up to 10 pounds.
· Frequent repetitive hand and arm movements required to operate a computer.
· Specific vision abilities required by this job include close vision (working on a computer, etc.).
· Frequent sitting and/or standing.