Staff Application Security Engineer
This is an exciting opportunity to be apart of a dynamic team building out a first purpose-built risk management platform for the insurance industry. This is a highly robust SAAS Platform that supports more than 400 insurers, reinsurers, trading companies, and other financial institutions, who trust their models and SaaS solutions to better understand and manage the risks of natural and human-made catastrophes, including hurricanes, earthquakes, floods, terrorism, and pandemics.
The Staff Application Security Engineer will be responsible for:
· Ensuring web applications, APIs and cloud services are planned, designed, developed, implemented, and monitored in accordance with security controls related to SOC 2, ISO 27001 and the Information Security Policy.
· Developing, implementing and monitoring enterprise information security architectures and solutions.
· Designing and automating assessments through penetration testing and ethical hacking, then analyzing security risks and recommending mitigating and compensating security controls.
· Performing internal penetration testing working closely with the engineering team to assess and prioritize discovered security issues and vulnerabilities.
· Maintaining and supporting application security tools, including static and dynamic security analysis solutions, and develop related documentation.
The Senior Application Security Engineer will work closely with:
· Cross functional teams to embed security, logging, auditing, and support all applications hosted within the corporate and cloud environments.
· Security Operations to develop new incident response plans and playbooks related to web application security threats.
· Software Engineering and QA departments to ensure security principles are enforced in all stages of the software development lifecycle.
· 7+ years of experience in Information Security
· Experience with the development, deployment, and automation of application security solutions in an enterprise cloud based environment.
· Deep understanding of OWASP Top 10 and CWE/SANS Top 25.
· Demonstrated proficiency in ethical hacking and WhiteHat penetration testing.
· Hands-on technical proficiency with Burp Suite and Metasploit.
· Demonstrated experience in investigating security issues related to web application exploits, credential stealing and authentication-based exploits.
· Experience in creating detailed solution design documents & diagrams.
· 7+ years of experience in Information Security with an emphasis on application security.
· At least one security related certification, such as CISSP, GIAC, CSSLP, required. CISSP or CEH.
· Knowledge of technical security control environments and compliance frameworks including CSA CCM, ISO 270001 and SOC 2.
· Hands-on technical proficiency with Burp Suite, Metasploit and Kali Linux.
· 3+ years of experience as a software engineer in some capacity, especially application, platform or product development. Programming experience in Java, C++ or C highly preferred.
· In-Depth knowledge of web application architecture, API development, and MVS frameworks.
· Experience in DevOps environments and maintaining security in CI/CD processes highly desired
· Solid understanding of either Amazon AWS or Microsoft Azure architectures/ecosystems.
· Demonstrated ability to facilitate automation and integration through scripting in Powershell, Python, Perl, etc.
· Working familiarity with threat models for large, distributed systems and cloud-based SaaS infrastructure.
· Proven ability to manage priorities & deadlines and to work independently in a highly dynamic and diverse environment with multiple concurrent projects happening simultaneously.