Title: Sr. Application Security Engineer
Location: Minneapolis/St. Paul, MN
The Application Security Engineer, Senior performs the role of subject matter
expert on implementing and testing secure systems and architecture
requirements, performing architecture security and design reviews, and
recommending secure solutions to protect the organization’s application,
infrastructure and information assets across the enterprise in a way that is
consistent with the organization’s information system security standards.
Essential Duties and Responsibilities
- Develop security stories and requirements by analyzing feature stories/
- epics from backlogs.
- Collaborate with Product Managers, Scrum Masters, and Application Architects
- identifying and injecting security requirements into Acceptance Criteria of
- epics/ stories.
- Conduct Threat Modelling on various components of application solutions.
- Hands-on coding on various security use cases into developers’ units,
- integration, Capybara/Selenium, and API testing.
- Advocate using IDE security plugins that scan code for security bugs on
- developers’ machines.
- Perform security testing via Static, Dynamic, or Interactive tools and
- rule out false positives.
- Review, analyze, and help re-test various Pen Testing items.
- Collaborate with DevOps engineers and be hands-on in developing security
- features/ controls/ tests as infrastructure-as-code in CI/CD pipeline.
- Research and monitor emerging security technologies, understand current
- industry and technology trends and opportunities, and assess their impact on the
- Collaborate and consult with cross-functional IT teams and business partners
- to identify risks, develop technical standards, specifications, guidelines, and
- implement appropriate information security controls.
- Provides appropriate security guidance and answer technical and procedural
- questions for less experienced team members; teaching improved processes and
- mentoring of team members knowledge transfer to design and implement appropriate
PMO and Project Life Cycle (PLC) interface:
- Collaborate with the PMO and Scrum Masters to ensure technical security
- architecture requirements are included in projects/ Stories.
- Ensure that individual projects remain aligned with security strategies,
- architectural designs, and standards through governance oversight and mentoring.
- Ensure consistency of architectural and technical solutions across projects.
- Ensure that internally developed and vendor applications comply with
- industry best practices for coding including coding standards, design & code
- walkthroughs, and pre-production testing.
Enterprise Architecture (EA) interface:
- Build relationships and maintain effective communications with the lead
- architects and development groups throughout the organization
- Ensure projects comply with security-related Enterprise Architecture policy
- and standards.
- Collaborate with IT leadership and architecture/development teams to
- establish standards, policies, and procedures.
- Collaborate with IT leadership and other architects to ensure the solution
- patterns, technologies, and toolsets align with long-range strategic plans and
- Collaborate with other architects to define and promote architecture
- processes, outcomes, and results to the organization, including IT and business
- Bachelor’s degree in Computer Science or related information technology
- Preferred having security-related certification – CISSP, CCSP, GSEC, SANS
- GIAC or equivalent.
- Experience and Knowledge of ITIL, ISO, SDLC, SCRUM
- Two years of professional project management experience preferred
- Passionate about Application Security
- Minimum of 7 years of IT Security and/or Security Architecture experience
- Bachelor’s degree and CISSP, CCSP, GSEC, SANS GIAC or equivalent System / OS
- hardening standards and methodologies
- 5+ years in Application Development with a focus on security on Java, .Net,
- AngularJS, Spring Boot framework, MongoDB, SQL Server, etc.
- Knowledge of OWASP Top 10 and vulnerability management
- Experience in cloud computing based services architecture, technical design,
- and implementations including IaaS, PaaS, and SaaS delivery models
- Preferably experience with setting up Secure Cloud configurations (Azure,
- AWS, etc.)
- Application security architecture concepts, security requirements, security
- testing method
- Demonstrated knowledge of SDLC and secure coding practices
- Experience working with Agile/Scrum software development practice
- Experience in working in DevSecOps culture
- Knowledge and/or experience in Micro Service based Architectures, Cloud
- Foundry, cloud computing security, encryption and key management on Cloud
- Experience in static application security testing, dynamic application security testing, interactive application security testing, and penetration testing methodology, techniques and tools
- Experience in Threat Modeling applications developed using micro-service based architecture
- Knowledge in API Security and testing
- Security knowledge on containers (e.g. Dockers, Diego Cells, etc.)
- Database security configuration knowledge (MongoDB, Oracle, SQL)
- Exposure to security issues within a regulated environment (HIPAA, SOX, GLBA, PCI, FIPS-140).
- Strong communication and interpersonal skills and the ability to operate in a matrixed environment
- Strong team player
- Process-oriented and strong documentation skills
- Ability to interact with internal/external clients/customers in a professional manner
- Miscellaneous duties as assigned
We’re an equal opportunity employer. All applicants will be considered for employment without attention to race, color, religion, sex, sexual orientation, gender identity, national origin, veteran or disability status.