Application Security Developer
Ethoca customers trust that their data and private information are secure because of the high standards of security and compliance enforced by technology, infrastructure and governance processes. The application security program is designed to ensure that any software developed or acquired meets these stringent standards while enabling rapid innovation to meet customer’s ever-changing needs.
We are looking for an Application Security Developer to join our growing information security and development teams, reporting directly to the Vice President of Security and Corporate IT. The Application Security Developer will help shape software security innovation and play a key role in the evolution of Ethoca’s current and future product development. The role will work as part of a growing security team to provide software security and software supply chain risk management expertise for the development, QA, DevOps and technology operation environments. The role will be a security advocate and will advise key stakeholders including executives and product managers on both software security, DevOps security, technology and operational risks and how to effectively balance security and business requirements, while providing expert advice during security incidents, communicating mitigation strategies to both technical and non-technical audiences.
Integrating security tools, standards, and processes into the software development life cycle (SDLC)
- Ensuring developers and QA personnel are trained with the appropriate level of software security knowledge to perform their daily activities
- Improving and supporting application security tool deployments includingstatic analysis and dynamic (runtime) testing tools
- Improving and maintaining secure development standards
- Supporting incident response and architecture review processes whenever application security expertise is needed
- Managing routine penetration testing services, including both expert consulting and managed services
- Providing manual penetration testing and standards gap analysis services to internal business and technology partners
- Managing application security framework and security technology improvement projects
- Supporting Vendor Security activities (part of supply chain risk management processes) to ensure 3rd‐party software and development meets Ethoca security standards
- Integrating threat modeling practices into the product development life cycle
- Providing security requirements for test‐driven design
- Producing metrics reporting the state of application security programs and performance of development teams against requirements
What you bring:
- Successful candidates will be a passionate software security evangelist who can translate software security concepts into language that is meaningful to many audiences, including business and technical leaders and individual contributors.
- Candidates must be able to approach application security from the perspective of risk management and avoid purely academic thinking about software security. Demonstrable ability to influence decision‐making processes at all levels of the organization will be critical to success.
- Candidates must have excellent verbal and written communication skills, including experience speaking in public forums and writing/contributing to technical publications.
- The candidate should have familiarity with a variety of development and testing tools, including:
- IntelliJ, Git, Jira, Confluence, Maven, New Relic, Chef/Puppet, Jenkins, Ansible, Selenium, Docker, Kubernetes, Nagios, Zabbix, Elasticsearch and ELK, Nexsus
- Candidate should also have expert hands-on experience working with one or more SAST, DAST and IAST tools such as Veracode, Coverity, Fortify or AppScan
- Candidates must be able to explain all vulnerabilities and weaknesses in the OWASP Top 10, WASC TCv2, and CWE 25 to any audience, and discuss effective defensive techniques.
Mandatory minimum requirements:
- Bachelor's degree in Computer Science, mathematics, physical sciences or engineering fields.
- One of the following certifications is mandatory: (ISC)2: CISSP, CCSP or CSSLP
- Familiarity with industry standards and regulations including PCI-DSS, SOC1, SOC2 and ISO27001 is mandatory for the role.
- 5-10 years of relevant work experience.
- Experience with cyber security attacks and best practices for mitigation methods.
- Experience working with web applications and browser security; security assessments and penetration testing; identity and access control; applied cryptography and security protocols; security information and event monitoring and intrusion detection
- Expertise in employing analytics and threat intelligence techniques, Incident response process; Software security
- IT supply-chain risk management and assurance; cloud security operations
Please forward your resume and a covering letter to firstname.lastname@example.org with “Application Security Developer” in the subject line. We will only be contacting those individuals who we believe are the best potential fit with our requirements.
At Ethoca, we welcome job applications from qualified individuals without regard to race, color, religion, sex, national origin, age, disability, ancestry, family care status, veteran status, marital status, or any other lawfully protected status in every jurisdiction in which we operate. We are committed to a diverse workforce that provides fair and equal opportunity for all employees and candidates.