Position Reference Number: APPSECSD
$110,000 - $130,000+
Relocation Package: Yes
Job Type: Full-Time
Required Education: Bachelor, CISSP, CISA Preferred
SecurityRecruiter.com has been engaged by a CISO whom we've worked with for many years to assist in the building of an information security program from the ground up. This role represents an opportunity to provide internal services to our client that have never been provided before from a dedicated resource. This role carries responsibility for leading the development, implementation and maintenance of web application security programs that represent our client’s core business operations. This hands-on role requires an application security professional who has a deep background in application development and coding experience combined with a deep understanding of Information Security and Secure Coding / Secure Software Development principles. Specific responsibilities include: Developing an Application Security program through a very close working relationship with development teams; Creation of documentation related to the Application Security program including the development of secure coding policies, procedures and standards, modification of the Software Development Life Cycle (SDLC) to include necessary security checkpoints, code review methodologies, etc.; Development and leading of training programs used to train developers on secure code development practices; Ensuring that application security requirements are identified early-on and are built into code development practices; Plan, coordinate and lead teams with the design, integration, development, validation and implementation of specific security policies, systems and services; Evaluate new security trends and technologies; Make recommendations to strengthen the information security environment; Lead assessment and acquisition of application security tools and technologies; Participate as a subject matter expert in the incident response program; Attend design and application architectural reviews and actively lead discussions from a security standpoint; Evaluate application development and implementation activities for possible vulnerabilities, etc.
Requires a BA/BS combined with 5+ years direct web application security experience and 8+ years of overall information security experience. Certifications such as the CISSP and CISA are appreciated. Candidates must demonstrate: Strong program development, program management and leadership skills including experience in developing, documenting and establishing application security programs and best practices; Deep application development / software development experience that C++ and Java coding, understanding of security protocols and APIs (Java Cryptography API, Kerberos, etc.); Strong understanding of application threat modeling and SDLC security aspects; Strong documentation skills in writing application security policies, procedures and standards; Solid understanding of application security essentials including Threat Modeling, SSL / TLS, Digital Signatures, Access Control, Auditing Architectures, Application Vulnerabilities (SQL Injection, Cross-Site Scripting, Buffer Overflows, etc.), Public Key Infrastructure (PKI using RSA), Authorization Authentication, Cryptography, Password Protection, State Management (Cookies, Session), Trusted System. Familiarity with Google Widget Toolkit preferred. Must demonstrate thorough understanding of Oracle Databases, Apache and Tomcat, Red Hat Linux, UNIX, web service security using WS-Security and SOAP. Experience with agile software development methods using SCRUM preferred. Understanding of the framework of Model-View-Controller (MVC) design pattern using the Struts framework preferred. Familiarity with application vulnerability testing tools such as AppScan / Web Inspect, etc. preferred.