Desired Skills and Experience

  • Serve as the primary Secure Development champion by evangelizing and embedding with the software engineering teams to integrate secure development practices.
  • Partner with Information Security to conduct application security reviews to assess technical and business risk, identify threats and potential security issues in applications, specify solutions, and verify through testing.
  • Assist in the creation of software specifications for secure development and consistently research within the security area for threats, common vulnerabilities based on the OWASP Top 10, and new attack models.
  • Perform secure code audits.
  • Provide security consultancy and advice to engineering teams, evaluate security scan results, and lead development remediation.
  • Develop presentations and diagrams to communicate secure development practices, security state, and design requirements.
  • Develop test plans for security production verification to assist Engineering and QA with security test methodologies and tools.
  • Build relationships with peers and stakeholder teams (Information Security, Engineering, QA, Operations, etc.).
  • Establish a trusted security advisor role.
  • Mentor and train other technical team members throughout the company on the importance of secure software development.
  • Develop security metrics and measurement capabilities to demonstrate application security, security architecture, and Security Development Lifecycle (SDL) activities.
  • Guide teams on adoption and execution of a Secure Product Life Cycle (SPLC).
  • Collaborate with Lead Application Security Engineer to create application security roadmap and strategy.
  • College or University degree in Computer Science or a related discipline.
  • 5+ years’ experience as a Security Software Engineer.
  • Experience in application security and core Microsoft .NET technologies including: WCF, WPF, WF, LINQ and EF.
  • Experience with web security and web development technologies including ASP.NET, MVC3+, JavaScript, AJAX, and CSS.
  • Experience with security vulnerability concepts and remediation techniques.
  • Experience with cloud and mobile security concepts.
  • Experience with browser, web service, and operating system security concepts.
  • Experience with token authentication and authorization.
  • Experience with identity and access management solutions such as Azure AD, ADFS, OAuth2, OpenID Connect, etc.
  • Experience with code review, threat modeling, pen-tests, and design analysis.
  • Must be able to convey complex security issues and risks while maintaining a positive relationship with product teams.
  • Experience with source control management systems and continuous integration/deployment environments.
  • Experience with automated testing; working on an agile team; multi-threading and concurrency; debugging, performance profiling, and optimization.
  • Experience with agile development methodologies including Kanban and Scrum.
  • Internally motivated, able to work proficiently both independently and in a team environment.
  • Proven communication skills with both internal team members and external business stakeholders.
  • Strong initiative to find ways to improve solutions, systems, and processes.
  • Experience bringing security designs and secure development practices into agile development environments, QA teams, and product planning (product requirements document, coding style guides, user stories, technical specifications, verification, and testing methods, etc.).
  • Experience with code analysis tools such as HP Fortify, HP WebInspect, Integrated Application Security Testing, and equivalent technologies.
  • Experience with PCI compliance, PCI-DSS, etc.
  • Security certifications preferred, including: CSSLP, GWEB, GSSP, CEH, GWAPT, CASS.