Interview: Phone and skype
Description:
The Senior Software Security Engineer will work within software engineering organizations to translate and define security requirements, use and mature practices for building secure applications; and suggest and support remediation activities for identified vulnerabilities. This position requires interest and expertise in defining and executing on a software engineering security practice; strong proven software development skills; expertise with major software infrastructures (J2EE, .NET, Oracle) and architectures (Web, SOA); an ability to build rapport and credibility with management and software development teams; and the ability to document and communicate the results of code reviews and penetration tests. Successful candidates must be action-oriented self-starters, capable of solving complex technical problems both independently and in a team environment. Candidates must also be able to communicate clearly and effectively to both technical and executive level audiences, both verbally and in written form.
Responsibilities
•Defines security related programming standards, use of APIs that support secure coding, code review, use of automated scanning tools, and penetration testing.
•Works with software engineering teams and Enterprise Architecture (EA) to build out formal product security plans that put in place controls to build security in during the software development life cycle.
•Stays current with emerging software security technologies, trends, and attack vectors, with a primary focus on internal reference architectures and security standards.
•Performs/participates in architectural reviews that are meant to identify and remedy architectural security flaws.
•Responsible for the use of security-related code analysis tools and takes the lead on tuning, enhancements, upgrades, and tool integration.
•Develops threat models in conjunction with architects and software engineering staff.
•Oversees the development of misuse/abuse cases in conjunction with requirements analysts.
•Works with the Information Security Office on incident response and operational/strategic initiatives.
•Provides thorough documentation regarding the processes and technologies that support secure software development practices
•Work with IT Groups to define, develop, socialize and execute long-term software security roadmap, including:
•Act as a liaison between software engineers and the Information Security Office.
•Work with product teams to understand security requirements for software applications.
•Participate in projects with software engineers and provide security oversight, constructive expertise and guidance to implement appropriate security controls that address business needs.
•Scope the marketplace for application security related tools, conduct tool analysis and provide recommendations.
•Consult with software engineers and the Software Engineering groups to further their understanding of security principals and tools.
•Conduct and coordinate in-house vulnerability assessments and code-reviews on software products.
•Consult on technical security issues/incidents as needed.
•Conduct risk assessment planning sessions and results read-outs.
•Initiate and conduct manual/automated code reviews (via risk assessments).
•Work with the Security Program and 3rd party software/shared services
•Define and modify security touch points currently in the Product Software Security Plan (PSSP) and eventually in the broader Software Development Lifecycle (SDLC).
•Provide security requirements to requirements analysts as input to the requirements process Define abuse cases, threat modeling and architectural risk analysis.
•Periodically analyze the effectiveness of the Software Security Program and provide recommendations, as necessary, on process improvement.
•Participate in maintaining the security API used applications
•Help review static analysis tool findings with product teams and other IT stakeholders; lead manual code inspections; identify secure coding practices.
•Identify and add custom rules based on security bugs found via static analysis, testing, and/or security response incidents.
•Review dynamic analysis tool findings and identify sources of problems with product teams and other IT stakeholders.
•Consult with Development, Operations, Business Owners and the Information Security Office on technical security issues.
•Facilitate trade-offs between security, operability, usability, and feature-set
•Provide risk assessments and recommendations to management.
•Conduct security assessments on applications, and provide purchase recommendations to management.
•Define impact to project schedule/budget to comply with Software Security Program directives.
•Strategically align high level business requirements and security strategies with pros/cons analysis for business to manage risk.
•Continuously improve IT security processes in line with SDLC and review/audit processes to assure compliance with regulatory and industry security standards
Qualifications
Education/Experience
Bachelor's Degree in a related field plus additional related college courses or professional training. Four to seven years of progressively responsible directly-related experience.
Related Skills & Other Requirements:
•Must have strong knowledge in one or more of the following: HTML, JavaScript, DOM, AJAX, CSS/CSS2, XML, XHTML, DHTML, etc.
•Must have adequate knowledge of J2EE and/or .NET technologies.
•Experience writing automated unit tests.
•Experience in performing code reviews.
•Strong interest in IT Security with a passion to solve problems.
•Knowledge of TCP/IP, HTTP/S and other protocols.
•Knowledge of cross-site scripting (XSS), session hijacking, SQL injection, CSRF (Cross-Site Request Forgery), OWASP Top 10, and other attack vectors a plus.
•Knowledge of OWASP Web Security Certification Criteria, OWASP testing guidelines and PCI Data Security Standards is a plus.
•Experience with one or more of the following tools is a plus: nmap, Nessus, Metasploit, TCPDump, Burp Suite, ZAProxy.
•Experience with IBM AppScan Source Edition, IBM AppScan Standard, and/or Client Fortify is a plus.
•Experience with the following source code repositories is a plus: SVN, GIT, IBM ClearCase
•Any knowledge of one or more of the following is a plus -- Python, Ruby, PHP or other scripting languages.
•Reverse engineering experience is a plus.
•Protocol analysis and forensic analysis experience is a plus.
•Experience installing, configuring and maintaining continuous integration (CI) environment(s) using tools such as Cruise Control, Cruise Control.NET, Hudson, Jenkins, Bamboo, Gauntlet, in a test driven development (TDD) process is a plus.
•Experience with one or more of the following static analysis tools is a plus: FindBugs, FxCop, and PMD.
•Additional certifications such as CISSP, CSSLP, CEH, ENCE, CCE, GCFA, GCIA, GCIH, CHFI and/or QSA are highly desired.
•
Last updated on Sep 16, 2016