Typical task breakdown: Security Defect Management- Analyzing, validating, communicating, and consulting on security defects identified by both automated and manual sources such as CodeQL, Rapid7 Web Application Security, penetration testing, bug bounty, etc. In other words, our security engineers are partners to software engineers who require accurate information on why a vulnerability exists and what they can do about it. Engineering Consulting – Serving as a “best friend” to software engineers, architects, product owners, and leaders, provide contextually-aware guidance to help these groups make good decisions, document · those decisions and resulting architectures, and navigate relevant review & approval processes (where necessary) when implementing new features and remediating existing issues. Tool Enablement- Enabling and monitoring automated defect detection tooling (CodeQL, Rapid7, etc.) at the repository or application level according to established process. Security Test Onboarding & Management– Collecting and communicating required scope and access information for penetration testing and security assurance assessments, as well as handling the output of these assessments via our Defect Management Process. Interaction with team: - Accountable for a dedicated set of applications to work directly with development teams. Part of a larger security engineering team that sets standards and ways of working for interacting with development teams. - Security Engineers will help development teams identify security gaps in their applications and services and assist in coming up with solutions to close those gaps and make services compliant to enterprise security requirements. Education & Experience Required: - Bachelor’s degree in computer science or a related field with 8+ or more years in information security - Master’s Degree must have 6+ years’ experience Technical Skills (Required) Application security expertise understanding vulnerabilities and remediation solutions (OWASP, CWE/CVE, SANS 25) Experience with a wide variety of information security processes and principles, such as: o Enterprise security architecture o Threat modeling o Vulnerability assessment o Risk analysis o Defense in depth o SDLC and product development processes o Identity and access management o API security o SCA/SAST/DAST Cloud securityexperience with MS Azure and/or AWS Professional certification (CISSP, CCSP, GWAPT, GWEB, AWS SA / Certified Security, etc.) Development experience (Java, Python, .Net, JS, or equivalent) Implementation of automation and scripting (Desired) - Web services security Desired: Professional information security certification (CISSP, CCSP, CSSLP, GISCP, GWAPT, GWEB etc) ; Strong understanding and experience with information security technologies Soft Skills (Required) - • Excellent written and verbal communications skills; demonstrated ability to communicate highly technical security concepts to non-security audiences • Ability to coordinate multiple teams in accomplishing process review and improvement
DSM-H LLC