Job Location: Washington, DC
Job Type: Full-Time (W-2)
Pay: Up to $140K/yr (Depends on Experience)
Clearance: Public Trust eligible
SUMMARY:
The Application Security Engineer will work with the development teams to carry out Application Security reviews and compliance guidelines. This role ensures that adequate and effective security processes, controls, and lifecycles are followed and aligned to deliver application security best practices and frameworks in order to follow the security policy and regulatory requirements. The Application Security Engineer supports the information security and compliance program, establishing appropriate assessments, managing and tracking risk mitigation and remediation activities.
DUTIES AND RESPONSIBILITIES:
- Perform threat modeling, vulnerability analysis, penetration testing, code review, and SDLC support
- Provide expert advice and consultancy to customers on risk assessment, threat modeling and fixing vulnerabilities.
- Design, implement and support security-focused tools and services.
- Write technical reports based on findings
- Deliver courses about application security
- Identify security vulnerabilities in applications written in C++ and Java for modem versions of Linux and Windows via code reviews and reverse engineering
- Identify weaknesses in various network protocols
- Offer solutions to discovered vulnerabilities
- Develop tools and scripts to aid in reverse engineering and vulnerability discovery
- Suggest secure design techniques to management and customers to improve application security posture
- Prepare reports on project progress and present results to the customer and management
- Maintain current knowledge of relevant vulnerabilities and mitigation techniques
- Ability to perform comprehensive code reviews
- Overall responsibility of security for Prosper Applications.
- Identifies, highlights, and provides security recommendations during requirement and design reviews.
- Conducts in-house penetration testing and code-reviews of Prosper applications and platform.
- Provides consultancy for Product development, Engineering & Operations team on technical security issues and remediation.
REQUIRED SKILLS:
- 7+ years of Application Security Experience
- Experience in vulnerability testing and auditing
- Prior code audit / application penetration testing
- Knowledge of secure development practices and techniques including OWASP Top Ten
- Experience in the Information/Cyber-Security profession
- Experience working with development team(s) that delivered commercial software or software-based services (development, QA testing, or security role)
- Experience with one or more modem RE tools: IDA Pro, WinDbg, Radare2, Ollydbg, Binary Ninja
- Experience working with common Application Security Tools e.g. (Fortify, AppScan, Webinspect, etc.)
- Experience and knowledge of industry IDS/IPS, logging, vulnerability , monitoring , firewall technology, wireless security, AntiĀ virus protection, OS patching, data loss prevention and SIEM technology and solutions
- Languages experience: Java/C#, T-SQL, JavaScript, HTML
- Experience with modem Web Application Framework (Java/Rails/.Net) required, .Net Framework 3.0 -4.0, ASP.NET, ASP.Net MVC desirable, NHibemate, IoC based Framework, AOP Framework, Web Services (SOAP/WSDL or ReST/WADL), WCF desirable
- Knowledge of authentication mechanisms like SAML, OAuth, etc.
- Knowledge of Security Flaws and its Resolution as listed in sites like OWASP, SANS, etc.
- Well versed with common web application and cloud security flaws and exploitation techniques as put forth by sources such as the SANS, OWASP Top 10 and Cloud Security Alliance (CSA)
- Should have at least one of the Preferred Certification(s): GIAC Certified Web Application Defender (GWEB), GIAC Secure Software Programmer-Java (GSSP-JAVA), GIAC Web Application Penetration Tester (GWAPT), Certified Ethical Hacker (CEH), Certified Secure Software Lifecycle Professional (CSSLP)