As an Associate Principal, Security Engineer you will be part of a team responsible for analyzing, triaging, solutioning vulnerabilities identified via Black Duck and Veracode scanning on open source libraries. This team is responsible for identifying solutions, testing out hands-on solutions across a variety of software, and working closely with the development community to implement solutions. The team is also responsible for assessing the total risk of the vulnerabilities with respect to The OCC environment.
You would be a good candidate for this role if you like:
- learning about new technologies and their secure implementation
- finding security vulnerabilities and helping team fix them
- thinking about problems and solving the root cause instead of just the current symptoms
- sharing your knowledge with others
Primary Duties and Responsibilities:
To perform this job successfully, an individual must be able to perform each primary duty satisfactorily.
- Provide general guidelines for preventing commonly found vulnerabilities by defining and updating security requirements
- Performing threat modeling on products, even if they don't fit a common pattern
- Reliably estimating the likelihood of given threats when building a threat model
- Conducting code reviews
- Interacting with project teams to seek implementation and completion of security requirements
- Documenting processes based on established guidelines
- Identifying or writing exploit code for high complexity vulnerabilities such as remote code execution, memory corruption or SQL injection
- Defining pen test plans through stories/tasks for moderately complex applications such as those deployed to Relativity platform (ADS app) or those involved in security critical workflows (e.g. authentication)
- Collaborate with development, platform automation and security teams to create and continuously improve a simple to use standardized repeatable automated application pipeline that includes testing, security and automated deployment to development and QA environments.
- Troubleshoot environments as problems arise, test fixes, and perform follow-ups to ensure problems have been adequately resolved.
- Collaborate with development, platform automation, security teams.
- Other job-related duties as assigned.
The requirements listed are representative of the knowledge, skill, and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the primary functions.
- Strong collaboration and presentation skills reaching across functional borders including technical and non-technical audiences.
- Understanding of Kanban and/or Agile methodologies.
- Hands-on experience working in Agile and DevOps cultures, focusing on process improvement and automation. Experience of working both independently and collaboratively in a fast paced, change oriented, and demanding IT environment with a strong focus on business outcomes.
- Hands-on security engineering experience.
- Self-starter – takes the initiative to research, learn and deliver. Anticipates the play.
- Team player – humble, collaborative, and focused on making sure the entire team succeeds.
- Experience in building threat models for web applications
- Familiarity with common software vulnerabilities (e.g. OWASP Top 10) and their remediation
- Deep interest in security architecture of applications and technologies (Web, Kubernetes, Network)
- Ability to follow established processes
- Ability to juggle several high visibility projects
- Ability to read code in mainstream programming languages such as Python, C#, Java
- Capability and hands-on experience with Vulnerability scanning tools/utilities
- Ability to provide solutioning and testing the solutions before providing details to development community
- 6+ years programming/scripting experience in languages such as Java, Bash, Python or Go.
- 2+ years hands on with continuous integration and continuous delivery (CI/CD) tools (examples - GitHub, Jenkins, Artifactory, Docker, Docker-Compose, K8s).
- 2+ years of experience in technology delivery in a DevOps and Cloud Engineering environment (AWS Preferred); relevant industry certifications such as AWS Solutions Architect Associate or similar are a plus.
- Demonstrable experience of automation.
- Bachelor’s or Master’s Degrees in Computer Science, Information Systems or other related field. Or equivalent work experience.