Application Security Engineer

Application Security Engineer
Chicago, IL & may work from home up to two days per week

Full time

TAG is seeking an Application Security Engineer to be responsible for validating that application services are designed and implemented with high security standards, analyzing the security of applications in tandem with their underlying services, including connected dependencies such as middle-tier systems and databases, and addressing legacy and emerging security issues. The Application Security Engineer will be responsible for implementing repeatable secure development practices to reduce the introduction of program design flaws that may lead to exploitation, communicating with the appropriate technical and leadership teams to ensure a focus on risk mitigation – allowing for business continuity, but without negligent risk, and assessing applications for weaknesses and finding resolutions before they can be abused. The Application Security Engineer will also be responsible for assessing the security of applications for business-to-business initiatives, third-party relationships, outsourced solutions and vendors, recommending programmatic controls, and monitoring and managing secure development practices to address modern day issues.

The specific duties include:

• Perform vulnerability and penetration testing
• Document security findings with reasonable methods to secure
• Focus on automation to aid in efficiencies with both testing and remediation of findings
• Work in tandem with developers to provide repetitive validation testing prior to production while allowing for a continuous cycle of development followed by application security assessments
• Regularly monitor the security community for public-facing security issues, as well as to learn new tactics that can be used in testing
• Attend and participate in application projects and change management committees, including interacting with business units and technical teams to understand what is coming and how their projects can be more secure from the beginning
• Fully define and follow a security review process to ensure an automated and repeatable process is managed through the use of dynamic and static code analysis resources
• Use security standards and implementation configurations, as well as common security frameworks
• Prepare for and manage bug bounty programs
• Document delivery and implementation advances that meet defined service-level agreements (SLAs) and business metrics
• Align with architects and development teams for a mission of secure design
• Train developers and junior application security engineers on weaknesses to avoid
• Actively participate and lead security team meetings that facilitate secure design
• Highly engage in information security projects that evaluate existing security infrastructure and propose changes as defined by security leadership and architects, and deliver projects on time, within budget and in accordance with SLAs
• Focus on application security that observes compliance – Health Information Portability and Accountability Act (HIPAA), Payment Card Industry (PCI), etc. – and privacy laws
• Work in tandem with architects, the security operations center (SOC), incident responders (when anomalous activity and host compromise occurs), and technology infrastructure and development team members
• Respond to and handle service and escalation tickets within SLA expectations
• Develop security test plans from architectural design and identify deficiencies and make enhancements to ensure production is not impacted
• Drive security efficiencies, enabling security team members to work on more advanced tasks
• Conduct performance testing to stress the limitations of security solutions while ensuring business innovation and day-to-day processes are not negatively impacted

Qualifications and Requirements:

• Bachelor’s Degree (or foreign equivalent) in Computer Science, Information Security, Management Information Systems, or a closely related discipline
• 5 years’ experience in cybersecurity, including compliance and risk management, including 4 years with:
  • Application programming and Code Review
  • Reviewing threat models by analyzing software design and architecture at a high level to identify potential security vulnerabilities
  • Performing security reviews of intra-company, Web applications, and third-party APIs
  • Using DAST and SAST tools to perform reviews on applications
  • Performing Security architecture review and leveraging specialized security tools to evaluate and improve monitoring client applications and networks for security incidents
  • Working closely with stakeholders to develop and implement risk mitigation strategies
• Demonstrated proficiency in:
  • Software development using .Net, Java, Python, C++, and/or Ruby
  • Vulnerability assessment and penetration-testing

Compensation: $158,100/year

A generous benefits package that includes paid time off, health, dental, vision, and 401(k) savings plan with match

This role is onsite at our Chicago, IL office, and offers the option to work from home up to two days per week.