Application Security Engineer

Application Security Engineers play a critical role in protecting applications from vulnerabilities and attacks ensuring the confidentiality integrity and availability of sensitive data. Their responsibilities span across the entire software development lifecycle requiring a blend of technical skills security expertise and interpersonal abilities.

In this role you'll work in one of our IBM Consulting Client Innovation Centers (Delivery Centers) where we deliver deep technical and industry expertise to a wide range of public and private sector clients around the world. Our delivery centers offer our clients locally based skills and technical expertise to drive innovation and adoption of new technology.

1. Secure Software Development: Work closely with developers to incorporate security into the software development lifecycle (SDLC) promoting secure coding practices and conducting code reviews.

2. Vulnerability Assessment: Regularly perform vulnerability assessments and penetration testing to identify weaknesses in applications and suggest improvements.

3. Threat Modeling: Develop and maintain threat models to anticipate potential security threats and design appropriate countermeasures.

4. Security Tool Implementation: Select deploy and manage security tools for static and dynamic application security testing (SAST and DAST) such as Fortify SonarQube or OWASP ZAP.

5. Security Compliance: Ensure that applications meet relevant security standards and regulations like OWASP Top Ten HIPAA or GDPR.

6. Security Training and Awareness: Design and deliver training programs to educate developers and other stakeholders on secure coding practices and application security best practices.

7. Incident Response: Participate in responding to application security incidents working with the broader security team to contain mitigate and recover from breaches.

8. Security Documentation: Maintain accurate and up-to-date security documentation including security requirements design specifications and testing results.

9. Collaboration: Work closely with development QA and other IT teams to integrate security considerations into all stages of application development and deployment.

10. Research and Development: Stay current with new security threats vulnerabilities and mitigation techniques and evaluate emerging security technologies for potential application.

11. Risk Management: Identify analyze and prioritize application security risks and propose appropriate risk mitigation strategies.

12. Third-Party Security: Evaluate and oversee the security of third-party libraries components and services used in applications.

13. Policy Development: Contribute to the development and maintenance of organizational application security policies and procedures.

14. Continuous Improvement: Regularly review and refine application security practices tools and processes to maintain effectiveness and efficiency.

15. Professional Certifications: Pursuit of relevant professional certifications like Certified Information Systems Security Professional (CISSP) Certified Software Security Engineer (CSSLP) or Offensive Security Certified Professional (OSCP) can enhance expertise and credibility.

• Architecture / Solution Reviews
• Threat Modelling
• Access Model / PAM Reviews
• System Configuration Reviews
• ITPF Conformance Assessment
• Secure Coding Practices
• Web Interface or API Security Review
• SAST / DAST Scans
• Pentest
• IaC Scanning
• Secrets Scanning
• Logging and Monitoring Review
• BR and DR Assessment