The Development Security Engineer is an enabler for the wider Application Security team, that engineers security solutions and provides security assurance within infrastructure projects and application developments. The Application Security team has pres-ence in 4 locations (Porto, Cluj, London and Dublin) and is responsible for the security of all applications developed internally or externally. Key stakeholders include Security Engagement partners, delivery services architects and SRE managers, projects man-agers, heads of delivery, platform and central functions. It is an early imperative that the Development Security Engineer achieves the status of trusted business partner, engaging with business units and central functions at the planning stage of company chang-es, seeking regular feedback from stakeholders and demonstrating positive contributions to business initiatives.
In this role you will work closely with the Security engagement partners and project teams throughout the organisation to ensure effective and efficient coverage of all projects by the existing security tools (static application security testing, dynamic applica-tion security testing, dependency checking, etc.), so that security vulnerabilities are detected and acted upon as early as possible in the project lifecycle. You will act as lead of the Application Security Engineering team, coordinating and supporting multiple projects simultaneously and will have to ensure timely delivery of agreed pieces of work.
In addition to ensuring a continuous and reliable availability and performance of the existing security tools (both commercial and internally developed), the role also involves its continuous improvement (namely to cover emerging technologies/frameworks) and the coordination and hands-on development of the internally developed tools to meet new business and governance needs. You are also expected to play a key role in the definition and implementation of application security governance and monitoring controls that allow the enforcement of the applicable policies and the prevention/detection of any attempts to circumvent them.
As a trusted business partner you will provide insightful and timely security advice that enables our company business initiatives to move at pace whilst ensuring application security risks are clearly articulated and appropriately managed.
- Ensure a continuous and reliable availability and performance of the existing security tools (both commercial and internally developed);
- Understand the architecture of production systems including identifying the security controls in place and how they are used;
- Understand and provide advice on using static code analysis tools to enhance the code review process, integrate with application build scripts, write custom rules and train developers to use;
- Contribution to automating certain security tasks within the Continuous Delivery (CD) pipeline;
- Research and evaluate emerging technologies to detect, mitigate, triage, and remediate software security defects across the enterprise;
- Support the engineering needs of the Application Security and wider Security function;
- Develop plans for security technologies that integrate effectively with other aspects of the technical infrastructure.
NON-TECHNICAL KEY RESPONSIBILITIES
- Act as lead of the Application Security Engineering team, coordinating and actively participating in the timely delivery of agreed pieces of work;
- Liaise with Security engagement partners, delivery managers, security champions and quality assurance teams effective and efficient coverage of all projects by the existing security tools;
- Work with application teams across locations to encourage a security mindset throughout product development processes from development to testing and implementation;
- Full service engagement and provide ideas, options, solutions and advice to projects with his/her area of responsibility;
- Champion application security throughout the software development lifecycle;
- Build strong business relationships with partners inside and outside the company to understand mutual goals, requirements, options and solutions to complex or intangible software security issues;
- Constantly contribute to the Security Champions initiative, proving training & awareness to relevant employees;.
ESSENTIAL SKILLS & EXPERIENCE
- Initiative to propose solutions to relevant problems and to drive its implementation;
- Ability to find solutions to seemingly intractable security problems;
- Able to take a holistic view of technology across the business;
- Strategic thinker with a proven ability to innovate;
- Good communication and documentation skills – ability to communicate with technical and non-technical audiences at all levels of the organization;
- Flexible attitude and ability to meet deadlines under pressure;
- Strong understanding of three tier web applications ;
- Basic experience in the administration of both Windows Server and Linux systems.
DESIRABLE SKILLS & EXPERIENCE
- Experience in the coordination of small teams;
- Experience in IP networking and High Availability is valued;
- Good understanding of threats, vulnerabilities and risks, namely OWASP. Ability to help people to clearly and accurately articulate complex threats and risks, controls and mitigations;
- Knowledge of various security tools e.g. Burp, Fortify, Checkmarx, WebInspect, Layer 7 firewalls, vulnerability scanners;
- Knowledge of software development security principles and best design practices;
- Strong analytical and diagnostic skills;
- Broad technical knowledge and ability to pick up new technologies quickly;
- Security related qualifications is a plus (e.g. CISSP, CEH etc.).