Application Security Engineer III

 

RESPONSIBILITIES:  

 

• Establish security best processes and practices for our mobile, on-premises and cloud-based platforms.
• Provide expert knowledge and guidance to the product teams about security vulnerabilities and remediation controls.
• Support and consult with product and development teams in the area of application security, including threat modeling and Application Security reviews.
• Implement, continuously develop, and maintain secure Software Security Development Lifecycle processes and software maturity model.
• Perform threat modeling, secure design, and source code review.
• Conduct security assessments, security testing and validation of vulnerability scan results.
• Assist teams in reproducing, triaging, and addressing application security vulnerabilities.
• Incorporate security tools/tasks to automate product development and deployment.
• Develop, implement, and automate defensive controls, creating and tuning tools and rules to detect and address malicious activity. Responsible for integration of security controls into SDLC. 
• Establish supply chain security process and ensure 3rd party software meet the standards.
• Facilitate injection, integration, and compliance for Static Application Security Testing (SAST), Container Security Scanning & Open-Source Security Analysis during development phase. 
• Facilitate injection, integration, and compliance for Dynamic Application Security Testing (DAST)
• Contribute to triaging, addressing security issues and tracking remediation.
• Own and manage Secure SDLC tooling.
• Develop and customize security tools used by security teams and developers.
• Work closely with development teams to build security directly into their SDLCs.
• Provide remediation guidance to programmers and management.
• Support bug bounty program
• Support the preparation of security releases
• Mentor and train development teams on secure coding standards and techniques. Develop Secure Coding Program.
• Constantly innovate at the pace of the adversary using latest techniques. 

 

  

EDUCATIONAL REQUIREMENTS:  

• Bachelor’s degree in computer science, Information Systems, or equivalent combination of education and experience  
• Certifications in the field of Information Security (at least one of the following: CISSP, CEH, GIAC CPEN, OSCP, OSWE, CWAPT, GWAPT, GWEB)

 

EXPERIENCE REQUIRED:

• A minimum of  3 to 5  years of experience.

 

  

GENERAL KNOWLEDGE, SKILLS & ABILITIES:  

• In-depth knowledge of web and mobile security vulnerabilities, attack vectors and mitigation techniques
• Experience with multiple programming languages (Java, JavaScript, Go, Python, Ruby, Objective-C, C#, PHP) with hands on level coding experience with at least one scripting and one objected oriented programming language.
• Fluent with security testing with SAST, SCA, DAST, IAST, Fuzz and penetration testing tools
• Understanding of application security standards such as OWASP ASVS/Top 10 and CWE 25
• Ability to discover and patch SQLi, XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond).
• Knowledge of common authentication technologies including OAuth, SAML, CAs, OTP/TOTP.
• Knowledge of DevSecOps to maintain security in CI/CD pipeline.
• Solid experience with security tools like Semgrep, CheckMarx, VeraCode, BurpSuite, Snyk, Nessus
• Familiar with tools like Git, Jenkins, CircleCI, Maven, Ant, Gradle, Nexus, SonarQube, Artifactory, Chef, Splunk
• Experience writing custom rules for static analysis tools.
• Experience with API Security, IaC, Containerization, RASP, IAST
• Experience with micro services, container deployment and service orchestration
• Strong knowledge of cryptography, API security, and secret management
• Ability to clearly and effectively communicate concerns and issues to the management and engineers.
• Experience with Cloud (AWS, Azure, GCP) Security
• Experience writing tools to automate tasks and integrate systems using scripting languages like Go, Python and REST APIs. 
• Experience in delivering and educating development groups in Secure Coding
• Expertise with common vulnerabilities and attack vectors.
• Experience integrating security tools into developer pipelines.
• DevOps experience managing deployment and configuration.

 

General skills include:

• Strong critical thinking and analytical skills
• Ability to approach problem solving in a constructive and collaborative way that does not require absolute security. 
• The ability to communicate complicated technical issues and risks to programmers, network engineers and managers.
• Strong leadership, project, and team-building skills
• Exceptional communication skills with diverse audiences; the ability to be an application security subject matter expert who can explain relevant topics to general audiences.

Fanatics is building a leading global digital sports platform. We ignite the passions of global sports fans and maximize the presence and reach for our hundreds of sports partners globally by offering products and services across Fanatics Commerce, Fanatics Collectibles, and Fanatics Betting & Gaming, allowing sports fans to Buy, Collect, and Bet. Through the Fanatics platform, sports fans can buy licensed fan gear, jerseys, lifestyle and streetwear products, headwear, and hardgoods; collect physical and digital trading cards, sports memorabilia, and other digital assets; and bet as the company builds its Sportsbook and iGaming platform. Fanatics has an established database of over 100 million global sports fans; a global partner network with approximately 900 sports properties, including major national and international professional sports leagues, players associations, teams, colleges, college conferences and retail partners, 2,500 athletes and celebrities, and 200 exclusive athletes; and over 2,000 retail locations, including its Lids retail stores. Our more than 22,000 employees are committed to relentlessly enhancing the fan experience and delighting sports fans globally.