Application Security Engineer

The Application Security Engineer will deliver secure cloud infrastructure and software using best practices and commercial & open-source security testing tools. This individual will work across departments on key business initiatives, including direct-to-consumer, and support the organization's continued adoption of AWS and Azure cloud services. The candidate will automate security testing in the development process and work with Cybersecurity, Infrastructure, DevOps, and Application Development teams to interpret requirements and translate them into actions while balancing security, agile software development, continuous integration and deployment (CI/CD).

Responsibilities:
• Perform security testing of applications early in the software development lifecycle, leveraging DAST, SAST, and assess applications against Cybersecurity best practices, policies, and compliance mandates.
• Manage the security components of continuous integration and delivery software pipeline to ensure security testing is performed throughout the CI/CD pipeline.
• Automate Cybersecurity controls testing within CI/CD pipelines that package, test, and deploy infrastructure and containerized applications.
• Design and implement threat modeling processes to determine the controls needed for a given application within the software development lifecycle.
• Provide SME guidance in assessing cloud infrastructure to address findings resulting from design reviews, threat modeling, and SAST and DAST testing.
• Perform vulnerability assessment, pen testing, and work across department lines to communicate findings and drive forward risk remediation efforts.
• Contribute to the decisions being made that impact Hearst's cloud implementations, direction, and cloud security posture.
• Design and implement security risk metrics monitoring to report on threats and the Cybersecurity posture; define data reporting metrics to drive forward continuous security improvements, including gate checks and integrated view of projects in the pipeline.
• Perform technical security configuration assessments of cloud platforms such as Microsoft Azure, Amazon Web Services (AWS), and Google Cloud.

Who you are:
• Bachelor's Degree, or equivalent work experience and certifications
• Minimum of five years in IT with a focus in application development or security
• Demonstrated background in Penetration Testing, Secure Development Lifecycle methodologies, Expertise in identifying vulnerabilities, static/dynamic code analysis, code reviews.
• Experienced in Python, Perl, JavaScript, Shell scripting, Familiarity with SAFe, agile release train concepts, and Agile methodology
• A good understanding across cloud and infrastructure components (server, storage, network, data, and applications) Hands-on experience using tools such as Whitehat, Tenable, Veracode, Netsparker, or AppInsight as well as Jenkins, GitLab, Puppet, Vault, and Grafana or other related automation and orchestration toolset
• Expertise in working with CI/CD tools and pipeline such as Azure Dev Ops, Jenkins, Github, Gitflow, artifact repository
• Experience with collaboration tools such as Jira, sprint planning, task ownership, comfortable in customer-facing roles
• Understanding of industry-leading practices around cyber risks and cloud security using industry standards such as CIS Benchmarks, Cloud Security Alliance, and NIST SP 800-144, and 800-145 One or more industry-leading certification is preferred CCSP, GCSA, CSSLP