Senior Engineer - Applications Security

What makes this a great opportunity?

The Senior Engineer: Application Security Engineer is a key member of the Global Information Security Team who work closely with development teams, product managers (PM), and third-party groups (including the paid bug bounty program) to ensure that Suntory Global Spirit products are secure.

We are seeking a highly skilled and experienced Application Security Engineer to lead our DevSecOps, API security, threat modeling, mobile security initiatives. This role requires a blend of technical expertise and leadership to manage a team of engineers, ensuring the security, reliability, and efficiency of our CI/CD pipelines and SDLC processes. You will work closely with cross-functional teams to implement robust security measures, optimize our DevOps practices, and drive compliance initiatives.

Role Responsibilities

•    Developing and maintaining software application security policies and procedures
•    Providing technical leadership, guidance, and direction to the application security team
•    Developing and maintaining documentation of application security controls
•    Implementing software application security controls
•    Designing technical solutions to address security weaknesses.
•    Improving and supporting application security tool deployments including static analysis and runtime testing tools Improving and maintaining secure development standards
•    Providing manual penetration testing and standards gap analysis services to internal business and technology partners.
•    Integrating threat modeling practices into the product life cycle.
•    Implementation of web application firewall on all the websites.
•    Providing security requirements for test-driven design
•    Producing metrics reporting the state of application security programs and performance of development teams against requirements
•    Ensuring the change & release management follows the defined processes & guidelines for application security.
•    Developing and managing the DevSecOps for assurance of secure code practices across the organization
•    Lead the remediation of application vulnerability screening and penetration testing.
•    Manage integration with vulnerabilities assessment techniques, including Static Code Analysis and Dynamic Code Analysis
 

Qualifications

•    Minimum of 6 years of experience in CI/CD, DevSecOps, Automation, Quality Engineering, and Cybersecurity.
•    At least 4 years of experience in SAST/DAST and penetration testing.
•    At least 2 years of experience in Web application firewall (AKAMAI) implementation.
•    Hands-on experience with DevSecOps tools and practices, including static code analysis, security scans, and automated testing.
•    In-depth knowledge of web and API security vulnerabilities, attack vectors and mitigation techniques
•    Experience with multiple programming languages (Java, JavaScript, Go, Python, Ruby, Objective-C, C#, PHP) with hands on level coding experience with at least one scripting and one objected oriented programming language.
•    Fluent with security testing with SAST, SCA, DAST, IAST, Fuzz and penetration testing tools
•    Understanding of application security standards such as OWASP ASVS/Top 10 and CWE 25
•    Ability to discover and patch SQLi, XSS, CSRF, SSRF, authentication and authorization flaws, and other web-based security vulnerabilities (OWASP Top 10 and beyond).
•    Knowledge of common authentication technologies including OAuth, SAML, CAs, OTP/TOTP.
•    Knowledge of DevSecOps to maintain security in CI/CD pipeline.
•    Solid experience with security tools like Fortify, CheckMarx, VeraCode, BurpSuite, Snyk, Nessus
•    Familiar with tools like Git, Jenkins, CircleCI, Maven, Ant, Gradle, Nexus, SonarQube, Artifactory, Chef, Splunk
•    Strong knowledge of cryptography, API security, and secret management
•    Ability to communicate concerns and issues clearly and effectively to the management and engineers.
•    Excellent interpersonal and communication skills, with the ability to work effectively with all levels of management.
•    Good oral and written communication skills
•    CEH & CISSP or CISA certification preferred.