Application Security Engineer
We’re looking for an exceptional individual who has the desire, skills, and passion to make a direct impact on the success of our client’s industry-leading HSA platform. You will be a key contributor to direct security architecture and design for a talented engineering team working closely with the business team to meet requirements.
What’s in it for you?
- Work with really fun, smart people and innovative technology.
- Work in the very heartbeat of the company; close to the code that is used by over a million members, employers, heath plan partners and our very own business users.
- Benefit millions of people by becoming part of the Consumer Driven Health Care initiative which is revolutionizing the way health care costs are managed.
- Become part of an organization that is young and nimble enough so you can actually make a difference.
- Be an individual and team contributor. Because we’re a growing company your skills will be magnified and improved.
- The company will invest in training opportunities and focus on your personal development. (This includes the CEH, CISSP or any of the certifications below)
The primary focus of this position is to ensure that the technology platform is secure by design and to guide software delivery teams to achieve this goal. You will achieve this though the following:
- Working closely with agile software development teams during the design and development process to guide secure feature design and secure coding practices.
- Developing application threat models for web, mobile, and public API’s and mitigation strategies for vulnerabilities identified.
- Teaching scrum teams how to develop and maintain feature level threat models and mitigate the vulnerabilities identified.
- Conducting static and dynamic code analysis using industry standard tools to support product release cycles.
- Performing manual and automated code reviews.
- Developing, and teaching, secure coding standards and practices.
- Participating in Web / Mobile application security assessments and penetration testing on projects and/or releases; produce detailed risk reports with identified vulnerabilities and remediation recommendations.
- Evaluating, tracking, and ensuring compliance of high and critical vulnerabilities; developing, maintaining and updating scorecards to reflect vulnerabilities and communicate to teams and team leaders.
- Bachelor’s degree in Computer Science, Computer Engineering, or other Engineering Discipline; graduate degree is a plus.
- At least 5 years of experience directly involving the design of secure application features and design patterns for enterprise class .NET based Web Applications.
- Demonstrated knowledge developing system and application threat models for enterprise applications and designs to mitigate high risk application threats.
- Experience training development teams to develop their own application threat models.
- Knowledge of in the OWASP top 10 and related exploitation techniques, including but not limited to cross-site scripting, SQL injections, session hijacking and insecure direct object references, to obtain controlled access to target systems.
- Strong understanding of implementing secure web services and identifying vulnerabilities in legacy web services.
- Experience with commercial dynamic and static application scanning tools (DAST) like IBM’s AppScan, HP Enterprise Fortify and Fortify on Demand.
- Significant experience performing teaching code reviews to instill understanding of good design principals in other team members
- Strong understanding of SOLID software design and implementation principles.
- Advanced C# Development Skills
- Advanced ASP.Net MVC 5 and Web API skills
- Industry certifications preferred CEH, CISSP, OSCP, GWAPT, LPT or ECSA
- Additional certification desirable CSSLP and GSSP