Application Security Engineer

Key responsibilities of this role include:

1. Creating application security designs based on modern software architecture patterns such as Microservices, Single-Page Application, and Serverless.
   1. This would need basic understanding of Microservices, Serverless and SPA. Must have worked on API’s, UI apps on cloud (means serverless)
2. Secure coding practices to avoid common security vulnerabilities such as those in the OWASP Top five / Ten: SQLi, XSS, and CSRF
   1. This would need basic understanding and experience of coding to prevent following in the code – 

SQL Injection, Broken Authentication, Sensitive Data exposure, XML External Entities, Broken Access Control and Cross Site Scripting. 

1. Understand / Experience of Securing API such as – enforcing HTTPS, Rate Limiters, Input Validation, Token Generation, etc.
2. Experience and understanding of secure coding testing using Application security tools
3. Ability to identify and analyze results from DAST and provide fixes – such as Insufficient logging and monitoring, Denial of Service (DoS), and other threats mentioned in 2a. above
4. Experience in working with Security incidents and basic knowledge of SIEM process.
5. Ability to work on security design review
   1. This would need basic understanding and experience of – verifying if data is encrypted in transit, check access control mechanism for the app (OAuth, SAML, RBAC), identify third party posture and associated vulnerabilities if any, and document other secure coding gaps.
   2. The candidate is expected to review Azure cloud environment configurations.

• Minimum Three plus years combined Application Security or Development experience with strong application security acumen, hands on experience with security design reviews and security testing
• Demonstrable hands-on experience of securing applications in Cloud environment (Azure) 
• Experience working in Agile and/or DevOps environments
• Experience with software development tools: IDE’s, version control, test automation, continuous integration, defect and backlog management systems
• Experience of working with CI/CD pipelines and highly preferred on cloud environment (AWS/ AZURE/ GCP)
• Knowledge of tools such as SQL Map, Post Man, Azure App insights, Azure functions

For a 3 to 5 years’ experience colleague, below is the MUST (proven exp) vs Preferred (Knowledge / Understanding) skill list.

Coding Experience of coding on cloud and using API'sPREFERREDCoding Experience microservicesPREFERREDSecure Coding Practices - OWASP top 10MUSTSecure Coding testing – SAST, DAST, OpenSource SecurityMUSTSecure Coding testing – Scripting Python, PowershellPREFERREDPenetration Test experienceMUSTUsing CI/ CD pipelines to integrate scripts for security testingPREFERRED

 

 

 

 

 

 

Behavioral Skills

• Make fact-based decisions using individual judgement and problem solving
• Keep open lines of communication within the team and collaborate with group members
• Build trust by fulfilling team expectations, guidelines, and work responsibilities as well as holding others accountable for the same
• Conceptual thinking and communication skills – the ability to conceptualize complex business and technical requirements into comprehensible models and templates
• A keen analytical mind for problem solving, abstract thought, and offensive security tactics
• Good communicator (written and verbal) and listener
• Must be a team player and motivated self-started with ability to work independently and remotely with limited supervision

Preferred Industry certifications:

 Azure Security Certifications, OSCP, CEH, CISSP, CSSLP or similar.