APPLICATION SECURITY ENGINEER

The Application Security Engineer (ASE) is responsible for promoting, designing, and evaluating application security in all phases of the application life cycle.
The ASE shall ensure that appropriate and effective security techniques and solutions are identified, implemented, and used.
Essential Job Functions:

Software Security Assessment:
• Evaluate applications for appropriate and effective use of security controls using tools and techniques such as source code analysis, vulnerability scanners, and manual testing techniques.

Application Security Control Development:
• Provide expert guidance to developers on the appropriate selection and implementation of relevant application security controls.
Security Awareness Training:
• Design, develop and deliver presentations focused on raising awareness for crucial security relevant considerations and defensive programming techniques.
Contract Security Provision Review:
• Work with business stakeholders and legal services to evaluate service agreements with Application Service Providers (ASPs), and provide expert guidance related to security provisions necessary to help ensure the necessary visibility and rights needed to protect our data and meet our commitments.
Other Job Functions:

Participate in research of information security technologies (in the areas of application and application infrastructure components) and propose ideas for new security service development.
Participate in all aspects of security service development projects including the following project phases:
business case development, requirements gathering, architecture development, product/service selection and procurement, functional & QA testing, detailed technical design, technology infrastructure implementation and deployment, migration from existing services, operational process and procedure documentation, operations staff training, and internal marketing of security services.
Advise and consult internal clients on appropriate application of security practices and existing security services to solve problems or enable new business opportunities.
Deliver previously developed information security services in support of corporate needs including:
requirements gathering, technical design, service deployment and integration, migration, operational transition, end user documentation, user training.
In support of various enterprise IT initiatives, recommend, customize, implement, document, and transition to operations reusable technical security service components including application level intrusion detection systems, authentication systems, authorization systems, audit trail management systems, cryptographic systems, and others as defined by management.
Research and implement new security technologies to be used as point solutions for IT initiatives unable to take advantage of or needing greater functionality than reusable enterprise security services.
Recommend new security service development ideas based on accumulated knowledge of project-specific security requirements.
Identify and implement improvements to application security team processes and supporting software tools (Java and C#/ASP based) to continually improve the team's effectiveness and efficiency.
Serve as subject matter expert on application and information security technologies and methodologies.
Perform other duties and responsibilities as assigned.
Essential Education/Experience Requirements:
• Bachelor of Science in Computer Science, or equivalent education or experience.
Emphasis in software security a plus.
At least three (3) years of professional experience, including:
• Two (2) or more years in software engineering and development with emphasis on the delivery of secure, Internet-exposed, multi-tier, web-based systems using Java/J2EE and/or C#/ASP/.NET (experience with both a plus).
• At least one (1) year of hands-on experience evaluating the security of applications using both manual and automated techniques.
Relevant tool experience should include code security scanners such as Fortify SCA, web vulnerability scanners such as HP WebInspect or IBM Rational AppScan, assessment support tools such as BurpSuite, Metasploit, Core Impact, etc… .
Strong written and verbal communication skills.
Specific relevant experience may include technical reports (especially application security assessment reports), technical whitepapers, presentation development and delivery (for both technical and business audiences), technical training, etc.
Candidate should have experience making and defending sound technical arguments that incorporate relevant technical and business considerations, and building consensus among stakeholders
Other Desirable Experience:

Security-related experience with the following:
• Providing software architecture security guidance, including developing application threat models and methodically protecting against business logic and design flaws that could introduce security vulnerabilities.
• Web Application Firewalls such as Imperva SecureSphere and Breach WebDefend.
• Design patterns and coding standards for secure software.
• Secure configuration and operation of Application Servers, Web Servers, Directory Servers, Media/Content Servers, Messaging Servers, Database Servers, and Integration Servers.
• Application authentication & authorization systems such as RSA ClearTrust and Netegrity Siteminder.
• Application layer intrusion detection systems such as Sanctum AppShield, or Kavado.
• Knowledge of PKI systems such as RSA Keon.
• Knowledge of cryptographic tool kits for application development such as RSA BSAFE or others.
• Knowledge of and experience with built-in and add-on security capabilities of common application infrastructure components such as MS SQLServer, Oracle, MS IIS, iPlanet Directory, MS Active Directory, MQSeries, MSMQ, MS Exchange.
• Knowledge of general application security API's and protocols such as:
MS CryptoAPI, Kerberos, SSL/TLS, SAML, S/MIME, and PKCS API's.
• End-to-end, hands-on experience in security solutions for complex enterprise architectures.
• Knowledge of cryptographic solutions for protection of data in use, in transit and at rest, such as:
Masking, SSL/TLS, IPSec, format preserving encryption & sanitization, etc….
• Knowledge of security considerations related to virtualization and cloud computing.
• Mobile Application Security on iOS and/or Android devices; includes experience in secure development of applications and/or analysis.
Financial services industry (Insurance, Banking, Investments) experience a plus.
•