We require a recognized expert in the Application Security area, capable of leading the engineering requirements of the application security aspects of products built in-house and ensuring alignment with the global technology strategy. The Application Security (AppSec) team has presence in 4 locations (Porto, Cluj, London and Dublin) and is responsible for the security of all applications developed internally or externally.
In this role you will focus on ensuring an effective and efficient coverage of all projects by the existing security tools (static application security testing, dynamic application security testing, dependency checking, etc.), in addition to advise and work closely with the other AppSec areas (Architecture and Testing & Assurance), wider Security team and project teams throughout the organisation to ensure the adoption of best of breed Application Security practices, so that security vulnerabilities are detected and acted upon as early as possible in the project lifecycle. You will also act as lead of the Application Security Engineering team, coordinating and supporting multiple projects simultaneously and will have to ensure timely delivery of agreed pieces of work.
In addition to ensuring a continuous and reliable availability and performance of the existing security tools (both commercial and internally developed), the role also involves its continuous improvement (namely to cover emerging technologies/frameworks) and the coordination and hands-on development of the internally developed tools to meet new business and governance needs. You are also expected to play a key role in the definition and implementation of application security governance and monitoring controls that allow the enforcement of the applicable policies and the prevention/detection of any attempts to circumvent them.
- Research and evaluate emerging technologies to detect, mitigate, triage, and remediate application security defects across the enterprise;
- Understand the architecture of production systems including identifying the security controls in place and how they are used;
- Act as lead of the Application Security Engineering team, coordinating and actively participating in the timely delivery of agreed pieces of work;
- Ensure a continuous and reliable availability and performance of the existing security tools (both commercial and internally developed)
- Understand and provide advice on using static code analysis tools to enhance the code review process, integrate with application build scripts, write custom rules and train developers to use;
- Contribution to automating certain security tasks within the Continuous Delivery (CD) pipelines, ensuring that they are effectively and efficiently covered by the security tooling (e,g, SAST, DAST, etc.) used by PPB, across all locations and technology estate;
- Support the engineering needs of the Application Security and wider Security function;
- Develop plans for security technologies that integrate effectively with other aspects of the technical infrastructure.
- Build strong business relationships with partners inside and outside Betfair to understand mutual goals, requirements, options and solutions to complex or intangible application security issues
- Proactively identifies issues/risks, plans and implements remediation with guidance and supervision rarely required
Essential Skills & Experience
- At least 3-5 years in a similar role
- Strategic thinker with a proven ability to innovate, regularly reviews and enhances the processes, methodologies or practices in place
- Strong and up-to-date technical background
- Works predominantly independently and is able to undertake complex tasks with minimal supervision and guidance
- Must have experience as part of a complex architecture/development practice, working on multiple large and complex projects simultaneously
- Demonstrable impact on strategic development of technology in a medium or large sized company
- Experience of managing and performing security assessments (design review & pen test)
- Excellent understanding of threats, vulnerabilities and risk. Ability to help people to clearly and accurately articulate complex threats and risks, controls and mitigations.
- Good understanding of threats, vulnerabilities and risks, namely OWASP. Ability to help people to clearly and accurately articulate complex threats and risks, controls and mitigations;
- Knowledge of various security tools e.g. Burp, Fortify, Checkmarx, WebInspect, Layer 7 firewalls, vulnerability scanners
- Experience of inclusion of the above toolset into Continuous Delivery and Continuous integration pipelines using tools such as Jenkins
- Knowledge of software development security principles and best design practices;
- Exposure to an enterprise architecture framework (TOGAF, SABSA etc.)
- Ability to find solutions to seemingly intractable security problems
- Able to take a holistic view of technology across the business
- Strong communication and documentation skills – ability to communicate with technical and non-technical audiences at all levels of the organization
- Flexible attitude and ability to meet deadlines under pressure
- Exposure to highly-transactional or very high throughput systems
- Experience in IP networking and High Availability is valued
- Broad technical knowledge and ability to pick up new technologies quickly
- Experience in the coordination of small teams
- Public presentations in conferences of recognized relevance in the AppSec area
- Active on the AppSec community (e.g. OWASP Chapters)