Senior WAF Security Engineer

WAF Security Engineer 

Role Purpose

• The Enterprise Application Security team is responsible for protecting Pearson’s commercial digital products and data, our learner’s data, and Pearson’s internal applications.  By employing a blend of technology, developer training, test integration, and process automation, the Application Security team’s goal is to reduce our risks and provide ongoing Internet safe havens for our learners. 
• This role will play a critical role in enhancing our Web Application Firewall (WAF) across multiple solutions and applications and will be pivotal in crafting, testing, and implementing advanced WAF solutions. This role involves a strong focus on developing robust security measures against web-based attacks, contributing significantly to the security posture of our organization, and achieving audits.

Responsibilities 
 
As a direct report to the Head of Application Security Engineering, you will have the following accountabilities: 
   

• Develop and refine complex custom WAF rules and features, ensuring mitigation of Minimum Viable Product (MVP) and security posture gaps.
• Ownership of all technical aspects tasks essential for passing WAF audits ensuring they are compliant and included in DevOps Automation processes, including aspects such as management plan access control traffic visibility, application of mitigative OWASP Top 10 based rules and features, versioning strategies for each WAF solution, etc.
• Coding expertise to create effective testing mechanisms for baseline and custom WAF rules, integrating these tests seamlessly into automation pipelines.
• Offer subject matter expert (SME) support in various security testing areas, including WAF Proofs of Concept (PoCs)
• Provide specialized WAF-focused advice on web and API attack methodologies, evasions, and mitigation techniques, leveraging your ethical hacking background.
• Contribute security and technical knowledge alongside organizational skills to assist Cyber teams with effective WAF SIEM Use Cases

Skills and Experience 
 

• Someone that has extensive experience with Web Application Security log analysis and that is derived from a Cyber SOC/CSIRT work background who is willing to up-skill into a WAF Engineering SME – AWS and Akamai 
• Strong background in ethical hacking
• Extensive experience with web-based attack methodologies, including knowledge of tools, payloads, exploits, and countermeasures.
• Proficient in web application and API security.
• Skilled in identifying and mitigating WAF/IPS/CSPM security vulnerabilities.
• Expertise in developing custom WAF rules and security testing packages.
• Solid understanding of OWASP top 10 vulnerabilities.
• Proficiency in at least one programming language
• Ability to automate security testing within CI/CD pipelines.
• Knowledgeable in networking, cloud firewalls, and web technologies.
• Strong grasp of DevSecOps principles and practices.
• Awareness of Agile methodologies