- Role: Product security / Application Security / DevSecOps / Security Architecture;
- Security advisory on projects with different size and technologies;
- You will be the primary security engineer for software products and act as the point of contact for engineering and security;
- Design, build and review security-related services and functions of web applications, mobile applications, and desktop applications;
- Conduct product security threat and risk assessments for software products regularly (OWASP Threat Dragon/MS Threat Modeling Tool);
- Classify data and applications based on business risk. Establish a simple classification system to represent risk-tiers for applications;
- Work with product & development managers for the assessment and prioritization of security-related tasks in the development backlog;
- Provide the Engineering teams well-researched security solutions and controls to mitigate risk and fix vulnerabilities;
- Improves the adoption of security best practices in testing, automation, and continuous integration pipelines.
- Understanding the details of the secure SDLC approach and has experience in it. Ability to describe goals, steps, approaches, etc. Has ability to lead implementation of security controls in the development team;
- Solid knowledge of OWASP Top 10 and understanding OWASP testing guide. Ability to describe vulnerabilities, ways of exploitation, and fix methods;
- Strong knowledge of network and application protocols and their associated security implications (TCP/IP, HTTP, TLS, SSH, DNS, etc.);
- Experience with programming and scripting languages such as Java, .NET, Python, Bash, PowerShell, etc;
- Experience with conducting threat assessments, building threat models, and creating remediation plans based on the results of threat assessments;
- Experience in implementing and verifying OWASP ASVS;
- Experience with the OWASP Software Assurance Maturity Modell (OSAMM);
- Understanding of cryptography. Knows the most popular ciphers and their application. Can assess the proper usage of different types of algorithms;
- Understanding of risk management, its purpose, and approaches. Understanding the difference and consequences of various risk handling methods (rejection, mitigation, accepting, etc.) Can evaluate risks and create risks management plan;
- Experience with penetration testing, threat modeling, open-source, and commercial security tools;
- Ability to develop and conduct security pieces of training and workshops (e.g. General security training, threat modeling).
- Good communication skills, ability to conduct email communications, lead security-related meetings and discussions;
- At least Intermediate level of English including cybersecurity-related vocabulary.
Would be a plus (not mandatory):
- Cloud Security (Understands shared security responsibility models for cloud services: IaaS, PaaS, SaaS. Understanding of IAM, principles of cloud security policies, and potential cloud security risks. Able to effectively implement cloud security improvements.);
- OSCP Certification;
- Hashicorp Technologies (Terraform, Vault);
- Containers and Container Management (Docker, Kubernetes);
- Config Management (Ansible).