Security Engineer

POSITION OVERVIEW

The Security Engineer will collaborate closely with software architects and engineers across the NBME® in order to help them design, develop, and test with a security-first mindset. The candidate should be open to learning new security related procedures and techniques/tools. The candidate should be a self-starter who can work independently after receiving initial direction. The role is accountable for assessing the application security of all external facing systems built or purchased for use by the NBME.

Diversity, Equity, and Inclusion Statement

At NBME, we continue to innovate and improve how we fulfill the evolving needs of the health care community. This commitment starts and ends with the people at NBME. By recruiting and empowering talented individuals from various disciplines and backgrounds, which includes professionals with diverse life experiences, abilities, and perspectives, NBME can take a well-informed, robust approach to advancing medical education and assessment for years to come. We also continue to focus on ensuring that our DEI work is impactful and ingrained in everything we do, including with our staff, workplace culture, products and services, the Philadelphia community and the broader medical education landscape.

RESPONSIBILITIES

• Perform deep-dive penetration tests of NBME and vendor systems, identify security vulnerabilities, and suggest remediation.
• Assist engineering teams in feature design, threat modeling, secure code review, and use of Veracode's IAST platform.
• Understand and evangelize industry best practices, drive internal awareness sessions, and workshops.
• Identify areas of security risk and appropriate security controls.
• Provide security reviews of 3rd party systems.
• Implement, test and operate advanced software security techniques in compliance with technical reference architecture.
• Monitor compliance to application security policy, standards, and procedures.
• Help guide security requirements and objectives for product features.
• Leverage internal and external resources to research threats, vulnerabilities, and intelligence on various attackers and attack infrastructure.

QUALIFICATIONS

Skills and Abilities

• Well versed in application security including manual business logic vulnerability testing.
• Ability to communicate technical security concepts to technical audiences and business partners, both orally and in writing.
• Expertise with application test methodologies and tooling (e.g., nmap, nikto, dirb, Burp, Veracode, etc.).
• Strong knowledge of OWASP Top 10 web vulnerabilities and how to engineer software to avoid them.
• Strong knowledge of SANS Top 25 most dangerous software errors and how to engineer software to avoid them.
• Able to identify false positives and compensating security controls during assessments.
• Software development experience in one or more of the following core languages: Bash, C#, Java, JavaScript, Python, and PowerShell.
• Ability to read and understand source code in one or more of the above languages.
• Ability to prioritize multiple tasks and projects in a dynamic environment.
• Able to adapt to the ever-changing threat landscape and keep abreast of cybersecurity developments.

Experience

• Minimum 5 years engineering and/or operations security experience.
• Experience with application, networking, and system security.
• Experience with Veracode's Integrated Application Security Testing platform.
• Experience with integrating application security scans within a CI/CD pipeline.
• Experience using Burp Suite Pro.
• Experience with Threat Modeling architectural data flows.
• Experience with Microsoft Threat Modeler a plus.
• Experience with service-oriented architectures and web services security.
• Experience applying static and/or dynamic analysis in application testing including web based applications, web services and API's

Education

• Bachelor's degree in computer science or related field. Would consider combination of education and/or years of experience in place of degree.
• Holding one or more of these certifications is a plus: CISSP, CEH, GIAC, GPEN, GSEC, GWAPT, OSCP, or OSWE. The candidate should be willing to obtain one of these certifications during the first 12 months of employment if none is currently held

About NBME:

NBME offers a versatile selection of high-quality assessments and educational services for students, professionals, educators, regulators and institutions dedicated to the evolving needs of medical education and health care. To ensure our assessments meet the highest standards of quality, stay relevant and align to the current curriculum in medical schools and training programs, we rely on a wide network of collaborators. These include the volunteers who help develop our exam questions, the committees and panels who represent various groups within the medical education community, external researchers and health profession organizations.

We are committed to meeting the needs of educators and learners globally with assessment products and expert services such as NBME® , , s, the ® Program and . Together with the Federation of State Medical Boards, NBME develops and manages the , which measures the ability to apply knowledge and skills that form the basis of safe and effective patient care. Our Competency-based Assessment unit is focused on new methods as well as the optimization of assessment in the workplace and education.

As a result of leadership in ongoing research, innovative measurement practices and the exploration of forward-thinking assessment modalities and improvements, NBME advances assessment science. Our grant and funding opportunities further support this dedication to medical education and assessment science. We help develop the next generation of assessment professionals through our . Through the , and , researchers and educators can continue to improve the assessment of health care professionals around the world.

NBME views diversity, equity and inclusion (DEI) as foundational and enduring to our strategy and vision. We continue to focus on ensuring that our DEI work is impactful and ingrained in everything we do, including with our staff, culture, products and services, the Philadelphia community and the broader medical education landscape. Our commitment manifests in our hiring and staff development, recruitment for committees, grants programs, design and review of our assessments, and involvement in our local and national communities.

Learn more about NBME at .

The NBME offers competitive salaries, excellent benefits, and a rewarding work environment. Excellent Benefits include: Healthcare, Dental, Prescription, and Vision plans; 401(k) w/match; Retirement Income Plan, Tuition Reimbursement Plan, Commuter Benefit: Public Transit or Parking options. Remote Friendly Workplace.

COVID-19 Considerations:

Being fully vaccinated against COVID-19 is a condition of employment, subject to potential reasonable accommodations for legitimate medical or religious reasons which prevent such vaccination. Applicants who have received a conditional offer of employment will be requested to provide information about their COVID-19 vaccination status.

NBME is an EEO employer as defined by the EEOC.