KGS - EWT Security | Appsec Enablement Engineer - Manager

This role is within the AppSec Enablement sub team who work closely with developers and engineering communities to drive improvements to security processes and automated tooling that are implemented in the Secure Software Development Lifecycle (SSDLC).  The team work with Platform Engineering  teams to provide SME oversight on strategic application security testing tooling to ensure best practices are implemented and assess new functionality for implementation.  The AppSec Enablement team act as an escalation point for the support in addressing application security vulnerabilities that may arise.  The team also manage the day-to-day operation of the SAA Threat Modelling tooling and oversee its integration within the CI/CD pipeline, and other core services.      

The purpose of this role is to work with Developer and Engineering teams to manage the adoption and development of security features in our SSDLC tooling, identifying and defining new requirements in relation to business changes.  The role holder will also provide SME support for application vulnerabilities and security incidents where required.  The role will work closely with other Cyber Security teams to support the delivery of Threat Modelling, and Application Security training and awareness.

The AppSec Enablement Engineer will:

• Manage the development of automated security testing features with DevSecOps teams to validate that secure coding best practices are being used, managing tooling roadmaps and assessing new functionality.
• Provide SME support for escalations in relation to security-focused code reviews and application security vulnerabilities that could arise.
• Working with the Vulnerability Management team.
• Working with the SAA Business Enablement team, drive and support the delivery of application security awareness and Threat Modelling training to the KPMG Developer and Engineering communities. 
• Manage the day-to-day operation of the SAA Threat Modelling tooling and its availability, dealing with support requests and incidents.
• Deputise for the team lead. 
• Share experiences with others to assist their learning and understanding in the wider team.
• Stay up to date with the latest security trends, vulnerabilities, and best practices related to Cloud and Application Security, DevOps, and Agile.     

You must:

• Have worked in at least one of:
  • As a Developer or Engineer in a DevOps/DevSecOps team 
  • In a penetration testing/vulnerability management team  
• Experience of using and/or managing the implementation SSDLC tooling including code repositories (e.g. Git Hub, Azure DevOps), and application security testing products (across SAST, DAST, Software Composition Analysis). 
• Proficient in one or more coding languages (e.g. Python, C#, .NET etc.)
• Experience identifying security issues through code reviews.
• Strong understanding and experience in the SSDLC of common security libraries, security controls, and common security flaws (e.g. OWASP Top 10).
• Good understanding of cloud and application security concepts, best practices, and industry standards. 
• Be able to demonstrate the ability to adapt communication style to explain technical concepts to different people within an organisation whether advising stakeholders, directing teams, or sharing experience. 
• Experience of successfully working in a fast paced, customer service/regulated environments, delivering high quality information security services.
• Be calm in challenging situations, able to navigate through complex security problems to find the root cause and a balanced outcome.

It would be advantageous if you can demonstrate some, or all of:

• Any relevant cloud and application security certifications.
• Experience of bug bounty programs and contributing to the security community through public research, blogging, presentations, etc
• Experience of Threat Modelling.