• 703-891-5000
  • info@targetlabs.net
  • 8300 Old courthouse road, Suite. 250, Vienna, VA - 22182

APPLICATION SECURITY ENGINEER

07-10-2012

APPLICATION SECURITY ENGINEER

Location: Rockville, MD

Major Purpose:

The Application Security Engineer (ASE) is responsible for promoting, designing, and evaluating application security in all phases of the application life cycle. The ASE shall ensure that appropriate and effective security techniques and solutions are identified, implemented, and used.

Essential Job Functions:

  • Software Security Assessment: Evaluate applications for appropriate and effective use of security controls using tools and techniques such as source code analysis, vulnerability scanners, and manual testing techniques.
  • Web Application Firewall Management: Configure and manage Web Application Firewalls. Tune policies and monitor traffic. Triage security events and work with a broader team in developing mitigation strategies for application security vulnerabilities.

 

Other Job Functions:

Participate in all aspects of security service development projects including the following project phases: business case development, requirements gathering, architecture development, product/service selection and procurement, functional & QA testing, detailed technical design, technology infrastructure implementation and deployment, migration from existing services, operational process and procedure documentation, operations staff training, and internal marketing of security services. Facilitate the identification of relevant application security threats (Threat Modeling) and the establishment of appropriate security control requirements and test plans. Ensure that software is architected and designed to avoid security-related logic flaws and other adverse security consequences.Support and promote the use of application security systems and controls. Provide guidance to developers on the appropriate selection and implementation of relevant application security controls.Assist in the development of software as needed to support the application security infrastructure. Verify remediated application vulnerabilities though various means such as automated scanning or manual testing. Serve as subject matter expert on application and information security technologies and methodologies.Perform other duties and responsibilities as assigned.

Essential Education/Experience Requirements:

  • - Bachelor of Science in Computer Science, or equivalent education or experience. Emphasis in application security a plus.
  • - Two (2) years of experience with ImpervaSecureSphere Web Application Firewalls, including deployment, operation, administration, and support.
  • - Experience evaluating the security of applications using both manual and automated techniques. Relevant tool experience should include code security scanners such as Fortify SCA, web vulnerability scanners such as HP WebInspect or IBM Rational AppScan, assessment support tools such as BurpSuite, Metasploit, Core Impact, etc.
  • - Strong written and verbal communication skills. Specific relevant experience may include technical reports (especially application security assessment reports), technical whitepapers, presentation development and delivery (for both technical and business audiences), technical training, etc. Candidate should have experience making and defending sound technical arguments that incorporate relevant technical and business considerations, and building consensus among stakeholders.

Other Desirable Experience:

  • - Software engineering and development with emphasis on the following:
    o Delivery of secure, Internet-exposed, multi-tier, web-based systems.
    o Hands-on experience throughout the SDLC, including requirements gathering and test planning, software architecture, secure coding, and QC testing.
  • - Professional, hands-on coding experience in Java/J2EEor C#/.NET. Experience with both a plus.
  • - Providing software architecture security guidance, including developing application threat models and methodically protecting against business logic and design flaws that could introduce security vulnerabilities.
  • - Experience implementing, maintaining, and supporting data encryption and sanitization using Voltage SecureData.
  • - Security-related experience with the following:
    o Design patterns and coding standards for secure software.
    o Secure configuration and operation of Application Servers, Web Servers, Directory Servers, Media/Content Servers, Messaging Servers, Database Servers, and Integration Servers.
    o Application authentication & authorization systems such as RSA ClearTrust.
    o Knowledge of PKI systems such as RSA Keon. 
    o Knowledge of cryptographic tool kits for application development such as RSA BSAFE.
    o Knowledge of and experience with built-in and add-on security capabilities of common application infrastructure components such as MS SQLServer, Oracle, MS IIS, iPlanet Directory, MS Active Directory, MQSeries, MSMQ, MS Exchange. 
    o Knowledge of general application security API's and protocols such as: MS CryptoAPI, Kerberos, SSL/TLS, SAML, S/MIME, and PKCS API's. 
    o In depth hands-on experience in complex enterprise architectures lock downs.
  • - Financial services industry (Insurance, Banking, Investments) experience a plus.