The Senior Application Security Engineer position is a hands-on role that involves evaluating and enforcing application security in all phases of the Software Development Life Cycle (SDLC). This position will work closely with our engineering teams to define and implement application best practice security controls, perform software architecture and design reviews, threat modeling, conduct white box security testing, and support the identification, interpretation, and remediation of vulnerabilities across a variety of applications, programming languages, and platforms with a focus on supporting our GovCloud environment.We are looking for someone with a strong background in information security and a proven ability to deliver under pressure. Position is remote and candidates must be willing to collaborate with team on PST timezone.In this role you will…
Participate in architecture and design reviews with Engineering leads to incorporate effective security standards into product design
Design, build. and maintain security tools/processes to effectively secure our cloud-based environments (AWS, GovCloud, GCP)
Guide team on best practices related to Infrastructure as Code (Cloud Formation), Lambda functions, IAM, and related Cloud services.
Implement a program to integrate security into the build/release pipelines to ensure our code is secure before it goes to production
Conduct white box security testing to assess and validate application security
Define, maintain, and enforce application security best practices and evaluate application security tools to improve our detection and prevention capabilities
Monitor and track progress of found vulnerabilities and maintain the history
Explain and demonstrate vulnerabilities to application/system owners, and provide recommendations for mitigation
Perform secure code development training to developers, quality assurance personnel, and relevant staff
Implement a program to integrate security into the build/release pipelines to ensure our code is secure before it goes to production
You’ve got what it takes if you have…
Ability to obtain a security clearance which requires US citizenship
Bachelor’s degree in an Information Technology related field of study or equivalent post high school education and/or work-related experience
6+ years of experience in web and/or mobile application security
Experience working in AWS GovCloud or FedRAMP/DoD environment
Experience with STIG and/or CIS
Knowledge of information security principles, web applications, and a level of familiarity with malicious code and common techniques used by hackers
Experience with common SDLC tools: static and dynamic code analysis, API security, open source management, container security, threat modeling, etc.
Experience with HTML and JavaScript along with a solid understanding of HTTP protocol
Experience coordinating penetration testing activities and performing penetration testing
Extensive experience with CI/CD practices and tools (Git, Jenkins) and integrating security solutions into CI/CD pipelines
Extensive experience creating solutions in Python, or other such as C#, Node.JS, or Go, and Infrastructure as Code (AWS CloudFormation)
Excellent problem solving and analytical skills; outstanding oral and written communication skills
Self-motivation and the ability to work under minimal supervision are a must
Excellent at multitasking, and open to constant learning
Energetic and positive attitude
Demonstrated commitment to valuing diversity and contributing to an inclusive working and learning environment
Consideration for privacy and security obligations
An extra dose of awesome if you have…
Knowledge of microservices architectures
Experience working on security responsibilities for a SaaS or PaaS solutions, preferably in AWS
Basic knowledge of SQL and prior experience with programming in one or more server-side technologies such as ASP.NET Core or scripting (Python, Shell)
Thorough understanding of SDLC and software security maturity models such as Building Security In Maturity Model (BSIMM) or OWASP Software Assurance Maturity Model (SAMM) is a plus
Experience conducting secure code development training
Knowledge of cryptographic tools and/or security APIs
Experience interacting with security vendors and customers
Knowledge of FIPS 140-2 and cryptographic tools
#LI-ET1Equal Employment Opportunity has been, and will continue to be, a fundamental commitment at Cornerstone OnDemand. All qualified applicants are given consideration regardless of race, color, gender, age, sexual orientation, national origin, marital status, citizenship status, disability, veteran status, or any other protected class as provided in applicable Federal, State, or Local fair employment laws. If you have a disability or special need that requires accommodation, please contact us at careers@csod.com
