Senior Application Security Engineer

• Company Luxoft
• No. of Openings 10+
• Salary Not Disclosed
• Work Type on-site

Job Description :

Responsibilities

Development of security requirements at early stages of the product life cycle.

• Preparation of test scenarios for an audit that are based on business requirements, technical documentation for a project and a list of affected systems.
• Identification of defects and vulnerabilities in new and existing software products using the following methods:
• Static code analysis (mainly Java and J2EE applications, iOS and Android mobile apps) using HPE-MicroFocus Fortify SCA;
• Dynamic code analysis and scanning for vulnerabilities using Burp Suite and OWASP ZAP;
• Manual penetration tests on software products deployed on a test environment.
• Development of recommendations for software developers for addressing the security flaws identified.
• Optimization and automation of the audit process.
• Configuration (creation of new rules) of SAST and DAST tools.

Skills

Must have

• Understanding of architecture and working principles of modern web applications.
• English level: Intermediate.
• Higher education in IT.
• Strong knowledge of basic concepts of information security.
• Strong knowledge of defect types (CWE/SANS Top 25 Most Dangerous Software Errors), vulnerabilities and information security risks in web and mobile applications (OWASP Top 10), as well as ways of detecting and mitigating them.
• More than 2 years of working experience as Application Security Engineer or on a similar position (Penetration testing, etc.).
• Strong knowledge of programming languages (Java) and scripting languages (Python, powershell, bash).

Nice to have

• Relevant information security certifications: OSCP, CEH, OSWE.
• Knowledge of/experience with international information security standards and personal data protection standards: ISO 27XXX, PCI DSS, GDPR, etc.
• Knowledge of/experience with information security standards and frameworks: SAML, OAuth, WS-Security, X.509, SAML, JAAS, SSL/TLS, OpenSSO, OpenIAM, etc.
• Experience in CTF or bug bounty programs.
• Experience in web or mobile apps development.