Section 1: Position Summary
Reporting to the BISO, the Application Security Engineer is responsible for the application security program. This position requires a passion for data protection, possesses a combination of either application development and/or security experience, strong communication and organizational skills, collaborative abilities, self-motivation, innovation, efficiency and attention to detail. This position will perform a variety of application security responsibilities across Ascensus and be the primary resource for our application security program. This role serves as a trusted application security advisor to Ascensus scrum teams to drive best practices for application security, to help ensure the confidentiality, integrity and availability of our web and application program interfaces (API). The Application Security Engineer is deeply involved with our application scrum teams and is instrumental in helping define the strategy to meet the information security organizations high level goals, while still being embedded within the scrum team processes and serve as a subject matter expert in secure development practices. This is a critical role at Ascensus requiring strategic thinking, taking initiative, and proactive interaction at many levels. This role will receive strong support of the Head of Technology and the Information Security Leadership, to effectively execute on defined organizational goals and strategic plans.
Section 2: Job Functions, Essential Duties and Responsibilities
- Responsible for protecting, securing, and proper handling of all confidential data held by Ascensus to ensure against unauthorized access, improper transmission, and/or unapproved disclosure of information that could result in harm to Ascensus or our clients.
- Our I-Client service philosophy and our Core Values of People Matter, Quality First and Integrity Always® should be visible in your actions on a day to day basis showing your support of our organization
- In conjunction with security and development leadership develops a comprehensive, agile, and innovative DevSecOps approach that supports all phases of the software development lifecycle (SDLC), identifies and effectively manage risk.
- Provide security consultation to scrum teams, application owners, and technology teams on relevant security controls and secure SDLC process
- Participate in sprint planning meetings and various decision-making sessions to ensure that security requirements and considerations are built into the development practices
- Conduct application security analysis, including architecture review, analysis of data flows, penetration testing support, and threat modeling
- Build and monitor compliance with application security policies, coding standards, and security controls in support of mitigating threats
- Responsible for the deployment and integration of services to support SAST, DAST and SCA functions. Assist development teams in performance of static and dynamic testing, triage findings and provide remediation guidance where necessary
- Assist with other tasks and projects as assigned
Section 3: Experience, Skills, Knowledge Requirements
Secure Software Development
- A minimum of 7 years’ experience in Secure Software Development and/or DevSecOps (preferred)
- Ability to define software security and privacy requirements
- Solid understanding of threat modeling, risk, and mitigation from internal and external threats
- Experience with development of system security architecture diagrams and security architecture specification per security architecture standards
- Experience performing software security design reviews
- Experience running security testing tools into a CI/CD pipeline including tools such as Static and Dynamic Application Security
- Testing (SAST/DAST) and Software Composition Analysis (SCA)
- Experience with application testing tools (e.g., Burp Suite, Fiddler, Zap, Wireshark, Metasploit)
- Experience with configuration WAF, API Gateway, API Security Tools
- Solid understanding of the most common application and API security risks (OWASP Top 10, SANS/CWE Top 25)
- Solid understanding of application, database and network vulnerability testing principles
- Working knowledge of the Microsoft Security Development Lifecycle (SDL), OWASP Software Assurance Maturity Model (SAMM), or Building Security in Maturity Model (BSIMM)
- Experience with assessing secure adoption of third-party components such as open source or commercial software
- .NET/Java Experience a plus
- Understanding of information security frameworks such as ISO27001, NIST, CSA and operating in a environment regulated against FFIEC, SEC and/or HIPAA requirements
- Solid understanding f authentication and authorization systems
- Solid understanding of cryptographic standards(e.g., encryption, hashing, key management, digital signatures, etc.)
- Ability to provide vulnerability remediation guidance and mentoring to product development software engineers
- Ability to translate security risks to business impact
- Experience running or managing vulnerability assessments using automated tools (e.g., Nessus, Qualys, etc) as well as managing penetration testing engagements.
- Understanding of privacy regulations as it relates to the handling and protection of information.
- Experience with fraud detection and analysis as it relates to custom developed applications
- Experience integrating automated testing tools into a CI/CD pipeline
- Experience in implementing Cloud security controls following owing Cloud Security Alliance (CSA) or Cloud Service Provider (CSP) best practices (Azure, AWS, etc.)
- Experience implementing and supporting security automation tools (e.g., K8 and CSP platform configuration, hardening, and monitoring).
We are proud to be an Equal Opportunity Employer
At Ascensus, we aspire to make a difference for others. We are a technology-enabled services company that helps people save for retirement, education, and healthcare through our network of institutional, financial advisor, and state partners. Our culture is guided by sound principles, is committed to high standards, operates with transparency, and welcomes diversity—housed within our Core Values: People Matter. Quality First. Integrity Always.®
As a leading independent recordkeeping services partner, retirement plan third-party administrator, and government savings facilitator, we aim to hire associates who find pride in going to work every day knowing that they help more than 12 million people save for what matters.
Let us know
Help us maintain the quality of jobs posted on RemoteTechJobs and let us know if:
Headquarters: New York, NY URL: https://clevertech.bizExperience Remote done Right. Over 20 years of remote experience, all 500+ staff are 100% remote, and we still grow vibrant relationships and provide exceptional opportunities for career growth while.