Title:  Application Security Engineer - Remote

Summary:

Application Security Engineer will functionally support product engineering and development teams to securecompany’s SaaS products portfolio. Application Security Engineer will be responsible for assessing and understandingthe security posture and attack surface of all DFIN products, and for assistance in the development of the appropriatesecurity controls.

Responsibilities:

• Conduct security assessments, security penetration testing and validation of test results
• Provide security insights to vulnerability scan/pen test results
• Working closely with development teams to assess the security posture/risk of the product features being developed
• Perform architectural risk analysis, threat modeling, secure design and source code review
• Effectively manage relationship with external application security and penetration testing partners
• Incorporate security tools/tasks into automated product development and deployment lifecycle(SAST/DAST/IAST integration into CI/CD pipeline)
• Provide expert knowledge and guidance to the product development teams about security vulnerabilities and applicable remediation paths
• Serve as a critical resource to ensuring each DFIN product is developed in alignment with industry-leading Secure Product/Software Development standards
• Participate in development of the DFIN Application Security Standards, best practices and associated metrics

Qualifications:

• Bachelor degree with 5+ years of relevant work experience OR demonstrated ability to meet the job requirements through a comparable number of years of applicable work experience and education
• Self-driven, highly motivated with a strong customer focus
• Strong analytical and problem-solving skills
• Solid project management skills, especially in a cross-functional environment
• Familiarity with Agile/Scrum methodologies and associated tools
• Prior exposure to modern CI/CD pipelines including tools and technologies such as Azure DevOps (former VSTS), GitHub, Jenkins and others
• Must have a “breaker” mentality, but be effective at designing the mitigating controls
• Ability to develop technical (XSS, etc.) and functional (fraud, etc.) abuse test cases
• Working knowledge of vulnerability management and penetration testing tools such as NMAP, Core Security, Burp, ZAP, Rapid7 Nexpose, Kali Linux, or Metasploit
• Working knowledge of NIST framework, Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM)

Qualifications (Cont.)

• Solid understanding of OWASP security concepts and common application security risks, such as XSS, CSRF, SQL Injection, Cookie Manipulation, etc.
• Solid understanding of fundamental application security building blocks such as: authentication, authorization, data validation, encryption, exception handling and logging
• Solid understanding of leading cloud platforms such as MS Azure and Amazon AWS, their inherent security risks and relevant security controls
• Solid understanding of the micro-services, containerization technologies (Docker, Kubernetes) and associated security technologies/controls (Aqua, Twistlock and others)
• Experience with one of the market leading SAST/DAST/IAST tools such as Checkmarx, Veracode, Rapid7AppSpider, IBM AppScan or HP/Microfocus Fortify
• Experience with one of the programming languages and/or programming frameworks such as C#, JavaScript,.Net or others