Your Future. Secured. ISC2 is a force for good. As the world’s leading nonprofit member organization for cybersecurity professionals, our core values — Integrity, Advocacy, Commitment, Inclusion, and Excellence — drive everything we do in support of our vision of a safe and secure cyber world. Our globally recognized, award-winning portfolio of certifications provide an independent and globally recognized endorsement of cybersecurity knowledge, skills and experience for all career levels. Our charitable arm, the Center for Cyber Safety and Education, enables ISC2 and our members to serve the public by educating the most vulnerable about cyber risks and empowering access to enter and thrive in the cyber profession. Learn more at ISC2 online and connect with us on Twitter, Facebook and LinkedIn. When you join ISC2, you’ll demonstrate your commitment to an inclusive and equitable environment. Your support of the unique perspectives and experiences shared by our global cybersecurity workforce and profession will be recognized. We invite you to take an active role in helping us create a true sense of belonging across our organization — an environment of authenticity, trust, empowerment and connectedness that empowers all of our successes. Learn more.

The Application Security Engineer will be an integral part of the security team and will work cross-functionally with several lines of business to ensure the secure delivery of products and applications. The Application Security Engineer will be expected to attend stand-ups and strategy sessions to identify areas of risk and offer consulting on best practices. The Application Security Engineer will act as a champion and will formalize the integration of application security into our current processes and tools.

The Application Security Engineer will be expected to facilitate technical design reviews, perform code analysis, offer remediation recommendations, perform manual and dynamic security testing, and document and present all findings. The Application Security Engineer will work closely with the Development, Release, and QA teams to identify and coordinate security testing, validate, test, and vet both internally and externally developed applications. As an Application Security Engineer, you will act as a DevSecOps Engineer that will be responsible for secure application delivery as well as the underlying infrastructure. The Application Security Engineer must be comfortable with securing cloud-based products in environments such as AWS, Azure and Salesforce. Additionally, this position will provide security risk assessments, create threat models and assist the team with vulnerability testing.

Additionally, this position manages the ISC2 responsible reporting program that supports the organization’s secure application delivery objectives. In addition to the daily duties described, the individual will assist the security engineering team in the management of security technologies administered by the group (e.g., WAF, Firewall, IDS, and SEIM). This would be an "as needed" function, which is primarily to provide coverage for those duties when individuals on the security engineering team are out of the office for training or vacation. Additionally, the Application Security Engineer will be expected to participate in the Incident Response team and act as a Subject Matter Expert when dealing with the continuity of our operations and when responding with cyber incidents.

• Conduct security assessments: Perform comprehensive security assessments of applications, including static code analysis, dynamic application testing, and penetration testing. Identify vulnerabilities, weaknesses, and potential attack vectors.
• Secure code review: Review application source code to identify security flaws, such as insecure authentication mechanisms, input validation vulnerabilities, and potential injection attacks. Provide recommendations for remediation and best practices for secure coding.
• Threat modeling: Collaborate with development teams to identify and assess potential threats and risks associated with the application. Use threat modeling techniques to prioritize security controls and countermeasures.
• Develop and implement security controls: Design, develop, and implement security controls and countermeasures to protect applications against common security threats, such as cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection. Implement secure coding practices and security guidelines.
• Vulnerability management: Establish and maintain a vulnerability management program for applications. Track and prioritize vulnerabilities based on their severity and impact. Coordinate with development teams to ensure timely remediation of identified vulnerabilities.
• Security testing automation: Develop and maintain automated security testing tools and scripts to streamline the application security testing process. Integrate security testing into the continuous integration and deployment (CI/CD) pipeline.
• Security training and awareness: Conduct security training and awareness programs and determine skills training needs for development teams, promoting secure coding practices and awareness of common security vulnerabilities. Stay updated with the latest security trends, attack techniques, and best practices. 
• Incident response: Provide support during security incidents or breaches related to applications. Participate in incident response activities, including containment, investigation, and remediation.
• Compliance and regulatory requirements: Ensure that applications adhere to relevant security compliance standards, industry regulations, and data privacy requirements (e.g., GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability)). Collaborate with compliance teams to address any compliance-related concerns.
• Security documentation and reporting: Prepare and maintain security documentation, including security policies, procedures, and guidelines. Generate periodic reports on the security posture of applications and present findings to relevant stakeholders.

Other responsibilities include:

• Maintain and manage all pipelines from a security perspective. 
• Onboard new pipelines for security tooling. 
• Keep pipeline diagrams up to date with current security details. 
• Serve as the primary SME for the DAST scanner. This includes configuration, testing, vulnerability management, and remediation oversight. 
• Recommend continuous improvements for the SAST scanner. 
• Security code release approvals  
• Maintain and manage the WAF, including signatures, configuration, and threat intel feeds. 
• Serve as the SME and provide recommendations for ongoing improvements. 
• Establish baseline WAF signatures for XD Prod following the Silverline migration. 
• Baseline WAF signatures after code releases. 
• Serve as the primary point of contact for vetting bug reports and managing the informed disclosure process.
• Assist with attestation data gathering. 
• Support and assist with threat modeling. 
• Act as the formal backup for the threat modeling and attestation processes. 
• Review and approve Security Assessment Review reports as needed. 
• Perform other duties as required.

• Ability to demonstrate and support the ISC2 Core Values:  Integrity, Excellence, Inclusion, Advocacy and Commitment
• Function as an architect, who can conduct architecture reviews of new systems and solutions. 
• Serve as a builder who can build and integrate application security in our SDLC. 
• Act as a collaborator, who likes to engage with the team and the industry. 
• Serve as a team player, who will jump in and assist in other security functions as needed. 
• Function as a leader, who will use your knowledge and to train and guide developers and engineers.
• Demonstrate a passion for application security, creative and critical thinking, strong analysis skills, the ability to work in a fast-paced environment, and have familiarity with agile, continuous integration, and continuous deployment. 
• Experience in securing SaaS-delivered offerings in multiple cloud environments deployed with automation & orchestration.

• Ability to write some code, as needed, to conduct security-focused testing.
• Application Experience with common testing tools such as Veracode, Fortify, Zap, Burp, and fiddler, among others. 
• Application Understanding of common vulnerabilities & remediation. 
• Application Knowledge and understanding of automation and scripting languages.
• Design & code review skills.
• A solid understanding of Microsoft platforms such as .NET, Windows, C#, Azure.
• General Knowledge of cloud security, API (Application Programming Interface) security, and associated best practices.

• Bachelor's degree in computer science, information systems, related engineering field. Will consider a high school diploma and 10+ years of relevant work experience, as well as current additional credentials (CCSP, GDSP, etc..) in lieu of a degree.
• A CISSP and CSSLP are required for this position. 
• 8+ years of experience in Information Security.
• 8+ years of experience with static and dynamic analysis for coding and vulnerability identification and remediation. 
• 5+ years of Secure Development experience. 
• Application Experience with implementing Secure Development Lifecycle in an agile environment.
• First-hand experience with architectural reviews, application reviews, and penetration testing.
• Application Experience with Continuous Integration processes, particularly with building security practices into the pipeline.

• Ability to travel up to 10% of time. May also include overnight travel. 
• Work extended hours, when necessary.
• Work in an office environment using dual monitor computer screens.
• Sitting for extended periods.  

All qualified applicants will receive consideration for employment without regard to race, color, religion, age, sex, national origin, disability status, genetics, protected veteran status, sexual orientation, gender identity or expression, or any other characteristic as protected by applicable law. Job candidates will not be obligated to disclose sealed or expunged records of conviction or arrest as part of the hiring process.