Cyber Resilience Application Security Specialist

This role oversees and spearheads the management of Application Security across Veritran. This position requires an excellent understanding of architecture, design, and coding in multiple languages.

An important part of the role is to support code reviews, vulnerability analysis, review penetration tests, and architectural reviews on new features and existing code.

You'll need a strong technical grasp of mobile and web apps, backend services, and penetration methods. You should also enjoy automating tasks, creating tools to find vulnerabilities, and effectively communicating findings through detailed documentation.

The Application Security Specialist is responsible for leading the internal Secure Development Champions Program and Secure Development framework.

The role aims to provide security education and guidance to embed and enhance Application Security across Veritran.

Due to the nature of Veritran's product, which involves handling sensitive financial and personal data, Application Security is crucial for both Veritran and its clients.

If you're passionate about securing cutting-edge technologies, possess a strong background in Application Security, and are eager to evolve as a professional like mastering AI security practices, we encourage you to apply for this rewarding position.

Responsibilities and Activities :

• Lead and steer Application Security with all (technology) teams.
• Work closely with the Product Security Specialist to deliver enhancements through the integration of security into the Security Development Lifecycle (SDL) process support through the Secure Development Champions Program (SDC) and Secure Development Framework (SDF) program supporting security enhancements on software design for both existing and new features, or for major changes.
• Maintain documented Application Security requirements by referring to established security standards and best practices, such as OWASP Top Ten, NIST Cybersecurity Framework, and industry-specific guidelines through the SDF program.
• Develop, implement, and communicate vulnerability mitigation strategies through the SDC and SDF programs.
• Collaborate with cross-functional teams, including development, IT, and compliance teams, to integrate security into the software development lifecycle.
• Perform / support code reviews, audits, vulnerability analyses, penetration tests, and architectural reviews on new features and on the platform as a whole and provide recommendations on best practices related to Application Security.
• Lead, guide and / or support threat modeling and security code walkthrough efforts.
• Develop and deploy (AI-based) threat detection mechanisms to identify anomalies and potential security weaknesses in real-time to be used to support defining enhancements in Application Security strategies and procedures.
• Research the latest security (like AI) best practices, trends, threats and vulnerabilities, and technology frameworks.
• Research new technologies (I.e., AI and Machine Learning) and their security best practices.
• Develop, recommend, evaluate, integrate, deploy, and maintain security tools including static and dynamic analyzers
• Support testing scenarios and strategies as part of the SDL and QA processes.
• Assess Technology teams' security knowledge and skills through quizzes, assignments, and practical assessments and provide constructive feedback to help improve their understanding and application of security practices in technology (focus on Application Security).
• Support the Veritran Cyber Resilience Certification program related to the Application Security domain, like ISO27001, ISO22301, CSA STAR, PCI-DSS and SOC2 Type 1 and 2 in the implementation of the ISMS controls based on the ISO 27000 series standards.
• Maintain records of training sessions, attendance, and assessment results. Prepare reports and metrics to track the effectiveness of Application Security training programs and identify areas for improvement.
• Maintain the Veritran Security Testing environment.

We look for these skills and / or the ability to learn / develop the following domains

• Experience as an Application Security Engineer or similar positions.
• Background in the software development industry.
• Understanding of Application Security patterns including web Application Security (OWASP top 10, XSS, injection vulnerabilities, CSRF, platform security hardening), and mobile security (device fingerprinting, mobile authentication and key exchange) strategies.

Strong knowledge of industry trends in security technology.

• Understanding of applied cryptography and common attacks against modern cryptographic algorithms (encryption at rest, TLS, hashing, etc.)
• Knowledge in mobile and web application code reviews (Android, Objective-C, Java, C, C++, C#, Python, etc.), audits, vulnerability analyses, penetration tests, and architectural reviews.
• Ability to deep dive into data and analyze for security and fraud anomalies.
• Ability to determine risk based on context.
• Expertise in mobile and web application development.
• Expertise in attacking network protocols and analyzing network traffic.
• Expertise in reverse engineering Android, iOS and Linux Binaries.
• Expertise in securing infrastructure in public cloud (e.g. AWS, Azure, Google Cloud).
• Expertise in using SAST, DAST, SCA and fuzz testing tools.
• Expertise in automating vulnerability discovery and repetitive tasks.
• Expertise in building automation tools for security processes for both mobile and web applications.
• Expertise in developing and implementing one or more of the following : Identity and Access Management, SSO, SAML, OpenID Connect, OAuth2 or MFA technologies.
• Proficiency in both spoken and written English.
• Self-management skills.
• Excellent communication and interpersonal skills.
• Be willing to go beyond the standard routine.
• Ability to thrive in a high-pressure environment and crises.
• Ability to adjust quickly to the security needs of a highly agile organization.
• Ability to multi-task multiple projects at once and drive for results independently.
• Ability to correctly balance security risk and product advancement.
• Methodical and diligent with outstanding planning abilities.
• Knowledge of reporting procedures and record keeping.
• Participate in bug bounty programs and security research.
• Proficient with one or more of the following tools : Micro Focus Fortify and Qualys Vulnerability Scanner.
• Related certifications, such as but not limited to : OSCP, OSCE, CEH, CISSP.
• Knowledge in related standards, such as but not limited to : ISO 27002, ISO 27017 and ISO 27018, PCI DSS, EU GDPR, SOC 1, 2 & 3.
• Knowledge of the financial industry's standards and regulations.
• Background in the financial industry.