Application Security Engineer
Lisbon
Springer Nature Group
We are a global publisher dedicated to providing the best possible service to the whole research community. We help authors to share their discoveries; enable researchers to find, access and understand the work of others and support...Building services that enable others
Springer Nature is one of the world’s leading global research, educational and professional publishers. It is home to an array of respected and trusted brands and imprints, with more than 170 years of combined history behind them, providing quality content through a range of innovative products and services. Every day, around the globe, our imprints, books, journals and resources reach millions of people, helping researchers and scientists to discover, students to learn and professionals to achieve their goals and ambitions. The company has around 10,000 staff in over 50 countries.
We’re looking for an experienced Application Security Engineer to make AppSec capabilities an integral and frictionless part of our platforms.
About us: Engineering Enablement
The Engineering Enablement (EE) department consists of around 60 people, spread over teams that closely collaborate to fulfil our mission. In Springer Nature Technology (SNT) we serve different core expertise: PaaS, Databases, Observability and Cloud- and Release Engineering. You will join a multidisciplinary team with different nationalities, backgrounds and experience levels. We are a very distributed department but sometimes we travel to work with each other in person. We are based around the globe with main locations in London, Dordrecht, Berlin, Lisbon and New York.
Our Technology
We have built platforms serving hundreds of developers at scale around the world. We are making more and more use of Kubernetes as a backend container platform and integrating this into our platform offering. We are leveraging the power of Kubernetes to build a new PaaS that will co-exist with the current Cloud Foundry Platform, as well as managing an internal database platform that runs over 1,200 database servers.
Your team
This role is within the Engineering Enablement department (EE), whose mission is to enable frictionless product development by providing managed platforms.
You will work together with the EE security architect and 2 other security engineers to establish streamlined application security capabilities within these platforms. This is a new community of security experts within the department that needs building up and shaping together. You will work together with the central security transformation and security operations teams to ensure the company-wide initiatives are represented in and consulted by EE.
As with all teams in EE, we closely collaborate with the departmental teams that provide the platform’s surrounding and centralised services and also with all the product development teams within Springer Nature.
Your responsibility
Our internal users run around 4000 applications within our platform, deploying them through our CI/CD systems many times a day. Together with your team, your responsibility is to make sure that the needed security measures are a frictionless and trusted part of those processes.
The company-wide security maturity program aims to build up a global application-, data- and infrastructure security strategy - your responsibility is to help inform that strategy and ensure EE fulfils its part of that. As EE sits within a larger organisation, you and your team members make sure we establish a culture of shared responsibility and accountability within the teams building on top of our platforms.
You will contribute to the evolution of our application security measures through leveraging IaC, maximising customer self-service and living the continuous integration mindset. You help to improve and optimise our existing security landscape and consult our internal customers on improving their application security stance.
Key Tasks:
Maintaining and improving the AppSec capabilities of our platform
Running and integrating AppSec tooling into the continuous integration processes of development teams
Support the creation of company-wide structures and initiatives that drive improvements in application security
Driving a “Shift-left” approach to application security accountability and responsibility with a focus on enabling development teams
Working closely with other security focused teams in the company, shaping our overall security strategy
Consulting teams on best practices related to application security
Selecting and potentially facilitating application security training
Working with the team to document policies, processes, procedures, and technical designs related to application security
Monitoring our overall security stance and using that data to improve our application security capabilities
You will have the opportunity to work on new challenges and drive the evolution of our services in a collaborative and supportive environment.
About you
You are a friendly team member, open to learning from anyone regardless of age, gender, race, role or experience. You value social interactions and can self-reflect by asking questions. You have a strong preference for working together, sharing knowledge and training others.
Desired Skills and Experience:
High sensitivity for security-relevant issues
Experience with Infrastructure as Code, for automation and configuration management
Programming experience with Golang or at least one modern language
Experience in operating and maintaining cloud infrastructure
Knowledge of secure coding practices and patterns
Understanding of SDLC (Software Development Life Cycle)
Experience with cloud platforms, ideally GCP
Preferred Skills and Experience:
Experience with common CI/CD tools
Experience with containerization
High user and customer orientation
Strong conceptual skills, logical/analytical thinking & problem-solving skills
Experience in contributing to the architecture and design of new and existing systems
Programming experience with languages used by our delivery streams (e.g. Java, Kotlin, .Net)
Proficiency with security tools & technologies (SAST, DAST, IAST, SCA)
Knowledge of common web application security (OWASP Top Ten)
Experience using a maturity model such as BSIMM
Facilitate threat modelling across systems and services
We are looking forward to your application. After reviewing your CV our Talent Acquisition team will contact you to schedule a short initial phone/video call. After getting this first step we will run 2-3 rounds (introductory, technical, cultural) with you - all of these with different members of the Engineering Enablement department and our peers in the CISO department. When appropriate these phases will be held via phone /video calls.
#LI-AR1
* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰
Tags: Application security Automation BSIMM CI/CD CISO Cloud DAST GCP Golang IAST Java Kotlin Kubernetes Monitoring OWASP PaaS SAST SDLC Security strategy Strategy
Perks/benefits: Career development
More jobs like this
Explore more career opportunities
Find even more open roles below ordered by popularity of job title or skills/products/technologies used.