BAMM Staffing
Senior Application Security Engineer
BAMM Staffing, Draper, Utah, United States, 84020
As a Senior Application Security Engineer, you will work to support the various processes and procedures related to application security and gather information from product engineering teams related to these activities. You will make a difference in promoting a culture of security inside the engineering organization and work with engineers to produce more secure applications. You will work to both collect and disseminate information throughout the business to ensure processes and procedures are operating efficiently and effectively. You will support the developers in their efforts to secure our applications and assist in the documentation and tracking of various application security and cloud.What You Will DoCollaborate with engineers, consultants, and leadership to address security risks and provide mitigation recommendations within the Secure Development Lifecycle (SDLC)Build automated code scanning tools to identify security vulnerabilities in application code and infrastructure code using both open source and commercial tools Integrating open-source and/or commercial static application code scanning tools with the CI/CD PipelineEnable secure-by-default best practices by developing libraries and frameworks to prevent future vulnerabilitiesOperate at enterprise scale by building and managing tools that help test, monitor, and improve application securityDevelop security standards, preferred implementation patterns, secure common frameworks, and developer documentation and educational materialsProvide secure developer training to software engineers on how to write secure code and follow best practicesConduct web app penetration testing, code scanning, dependency scanning that can be incorporated into SDLC process and CI/CD pipelineWork closely and together with the development team to provide guidance and mitigate security vulnerabilitiesPerform security architecture and design reviews of all systems and applications.Provide a leadership role in the development, implementation and maintenance of consistent application and infrastructure architecture security programsQualifications3+ years of experience working in an application security roleYou have a background in web application development and/or code auditing and can get deep into the code to find and resolve security problemsYou have experience with static and dynamic code analyzersYou have experience with software composition analysis toolsWeb application penetration testing and source code vulnerability analysis skillsExtensive knowledge of internet security issues, cloud architectures, and threat landscapeGeneral understanding of application and cloud security threats and vulnerabilities, including OWASP top 10, SANS top 25 etc.Professional security certification: CISSP, GIAC, GWEB, GWAP or other similar credentials.Experience with BurpSuite, Zed Attack Proxy (ZAP), or similar dynamic testing toolKnowledge of current development practices, including containerized applications, microservice architectures, serverless architectures, native mobile applications, responsive web applications, etc. a plusIdeal Candidate Profile :Developer background with extensive experience (5-10 years) writing and understanding source code.Must have the mindset and initiative to analyze and fix vulnerabilities in source code, either independently or through tool usage (open-source or standard).Familiarity with multiple programming languages, with a preference for Ruby.Responsibilities :Lead efforts with a security team (managing 2-3 people) and collaborate with 150+ full-time engineers, plus additional contractors.Ability to communicate with technical and non-technical stakeholders (e.g., explaining issues to CTO, proposing remediation plans).Manage multiple layers of infrastructure, source code, and application criticality.Technical Skills :Must have familiarity with
GitHub Advanced Security
or
GitLab Ultimate
for static and dynamic code analysis, dependency scanning, and vulnerability management.Knowledge of other tools like
Snyk
is a bonus but not essential.Ability to automate tasks using scripts (e.g., generating vulnerability reports).Required Skills :Hands-on experience with integrating security tools into CI/CD pipelines.Experience with automated code scanning and vulnerability assessment tools.Ability to identify the right point in the pipeline for security interventions.Penetration Testing :Thorough understanding of
OWASP
framework.Expertise in both automated and manual penetration testing approaches.
GitHub Advanced Security
or
GitLab Ultimate
for static and dynamic code analysis, dependency scanning, and vulnerability management.Knowledge of other tools like
Snyk
is a bonus but not essential.Ability to automate tasks using scripts (e.g., generating vulnerability reports).Required Skills :Hands-on experience with integrating security tools into CI/CD pipelines.Experience with automated code scanning and vulnerability assessment tools.Ability to identify the right point in the pipeline for security interventions.Penetration Testing :Thorough understanding of
OWASP
framework.Expertise in both automated and manual penetration testing approaches.