Job Description :
Penetration/Application Security Test Engineer
Bellevue, WA
Long-Term

Job Description
This position is accountable for the execution and delivery of planned milestones assisting clients/customers in learning, understanding and applying secure software development methodologies. Successful candidates will be acting as an application security engineer/tester, advisory and liaison with development teams during the remediation of code-level security flaws.
Required

Extensive experience developing in Java, Python, JavaScript (i.e. NodeJS, AngularJS), TypeScript variants (i.e. Angular 2+), and common scripting languages (i.e. Bash
Deep experience working with XML and web services, including SOAP and REST.
Thorough understanding of coding concepts such as: authentication mechanisms, data serialization.
Thorough understanding of application architectures such as: n-tier, client and server/API, microservices, etc.
Understanding of both application and network layer security considerations and how to fix them such as: buffer overflow, ToC vs. ToU, input validation, encapsulation, insecure protocols, MITM attacks, SQLi, etc.
Ability to work well both independently as well as within a team.
Excellent verbal, written, and interpersonal communications skills.
Ability to handle several tasks, be organized, make decisions, and work efficiently/effectively under deadlines.
Bias for action and strong desire to affect change.
Preferred
Experience with agile software development practices.
Experience with handling and deploying to different environments (i.e. Development, Staging, Production)
Qualifications
Bachelor of Science with 3+ years of experience in cybersecurity
CISSP/GIAC preferred

YOUR RESPONSIBILITIES
Day-to-Day
Working as a technical hands-on security leader alongside of application development teams, biz dev, DevOps and other delivery teams.
Use technical knowledge of vulnerability families (e.g. OWASP Top 10) and circumstantial code context to explain the nature of a security issue as well as the best fix.
Work collaboratively with development teams to bring open flaws to resolution.
Create a feedback loop with the application security assessment teams and tools to enhance accuracy of assessment findings.
Promote industry leading security standards.
You will be responsible to ensure that both internally developed applications and third-party vendor applications are implemented in a manner that assures the proper implementation of application security controls.
You MUST stay ahead of the bad actors in helping us to secure our web and mobile applications.
Performs static/dynamic code testing, manual code inspection, threat modeling, design reviews and penetration testing of internal web applications and external partner applications to identify vulnerabilities and security defects.
Supports the implementation and enforcement of secure design principles according to policies, standards, and patterns of Information Security.
Work closely with development/application teams early on in the design phase to ensure systems are built securely
Provide subject matter expertise and mentorship on architecture, authentication and system security.
Develops and implement manual and automated web application security testing of web applications to enforce security standards.
Works with security product vendors and service providers to evaluate their security offerings.
Must be familiar with the below Tool sets:
Fortify SCA (Expertise: Advanced, must be able to automate the source code scanning through CI/CD stack)
Fortify Web Inspect (Expertise: Advanced, must be able to automate where possible)
o Nessus
o Nmap
o Veracode
o Burp Suite
o ZED attack proxy
o SCAP
o Threat Modeling (e.g. STRIDE)
Must be very well versed with OWASP Top 10 vulnerabilities and must demonstrate to exploit such vulnerabilities in mobile, web and console applications.

Ad-Hoc / As Needed

Assist with writing formal specifications and documentation.
Assist with developer education in secure coding concepts.