Applications Security Engineer

Role Summary

• Integrating security tools, standards, and processes into the product life cycle (PLC)
• Perform regular vulnerability assessment and penetration testing for Infrastructure, web applications, web services, mobile apps
• Supporting the incident response and architecture review processes whenever application security expertise is needed
• Identify, analyse and assess technical and organisational cybersecurity vulnerabilities
• Identify attack vectors, uncover and demonstrate exploitation of technical cybersecurity vulnerabilities
• Test systems and operations compliance with regulatory standards
• Select and develop appropriate penetration testing techniques
• Organise test plans and procedures for penetration testing
• Establish procedures for penetration testing result analysis and reporting
• Document and report penetration testing results to stakeholders
• Deploy penetration testing tools and test programs
• Managing annual penetration testing services, including both expert consulting and managed service
• Providing manual penetration testing and standards gap analysis services to internal business and technology partners
• Managing application framework and perimeter security improvement projects.
• Supporting vendor due diligence assessments to ensure 3rd party software meets Lebara security standards
• Producing metrics reporting the state of application security programs and performance of development teams against & EXPERIENCE :
• Familiarity and ability to explain common security flaws and ways to address them (e.g., OWASP Top 10, Sans 25)
• Basic development or scripting experience and skills. JavaScript, React, Node, .Net and/or Java are preferred
• A basic understanding of network and web related protocols (such as TCP/IP, UDP, HTTP, HTTPS, protocols)
• Familiarity with some common security libraries and tools (e.g., static analysis tools, proxying / penetration testing tools)
• Knowledge of the SSDLC process and its components.
• Knowledge in SOA (service-oriented architecture), Rest API technology and the API Gateway concept
• Knowledge of one of the three leading cloud services : Azure, GCP or AWS
• Experience in pen testing IaaS, SaaS, PaaS services, Container servers
• Experience in pen testing cloud services such as AWS, Azure
• Should have experience in vulnerability risk scoring system EPSS, CVSS etc.
• Experience in using opensource vulnerability intelligence to predict
• Must be proficient with security configuration standards such as CIS benchmark, NIST etc.
• Experience in maintaining external attack surface security posture
• Should have experience with attack path management
• Should have experience in Red Teaming exercises
• Should have experience in defense evasion, lateral movements, and privilege escalations techniques
• Very good knowledge in MITRE ATT&CK Framework & TTPS
• Very good knowledge in Windows operating system
• Very good knowledge in Linux servers
• Experience in pentest tools such as Kali Linux, Nmap NSE, Bloodhound, Metasploit, Password Crackers, Mimi Katz etc.
• Experience in vulnerability's scanner such as Rapid7 InsightVM, Tenable.io, Burp Suite, OpenVAS, NMAP NSE etc.
• Very good knowledge in scripting languages such as bash, python, PowerShell etc.
• Experience in application technology security testing (white box, black box and code review)
• Understanding of Apache web server and Unix server operating systems
• Knowledge of standard SDLC practices
• Ideally a relevant certification such as CISSP, CEH, OSCP, or CSSLP