Cybersecurity Operations Engineer - Application Security
Issaquah, WA, US
Costco Wholesale
Costco IT is responsible for the technical future of Costco Wholesale, the third largest retailer in the world with wholesale operations in fourteen countries. Despite our size and explosive international expansion, we continue to provide a family, employee centric atmosphere in which our employees thrive and succeed. As proof, Costco ranks eighth in Forbes “World’s Best Employers”.
This is an environment unlike anything in the high-tech world and the secret of Costco’s success is its culture. The value Costco puts on its employees is well documented in articles from a variety of publishers including Bloomberg and Forbes. Our employees and our members come FIRST. Costco is well known for its generosity and community service and has won many awards for its philanthropy. The company joins with its employees to take an active role in volunteering by sponsoring many opportunities to help others.
Come join the Costco Wholesale IT family. Costco IT is a dynamic, fast-paced environment, working through exciting transformation efforts. We are building the next generation retail environment where you will be surrounded by dedicated and highly professional employees.
Security Engineers develop, design, implement, and integrate security systems used to safeguard enterprise assets against cyber-attack. Security Engineers drive innovation, influence delivery, and maximize performance. They deliver high-quality artifacts, develop and run security tests, and continuously tune security tools for optimization. Security Engineers identify gaps and inefficiencies and work with the business to implement solutions based on their requirements.
Application Security Engineers have deep knowledge and hands-on experience in enterprise-wide platforms. They solve technical problems while working on technology initiatives. Engineers have strong architectural, leadership, and technical skills. They ensure delivery of high-quality artifacts, and adhere to and follow Costco’s SDLC. Engineers interact in a highly effective manner with other team members and management, drive innovation, lead initiatives, and influence delivery and performance.
The Application Security Engineer will work closely with stakeholders in Security, the Business, and other leaders within Costco, as well as partner with suppliers and utilize vulnerability management resources. The Engineer is responsible for the successful delivery, design, and support of the vulnerability management program. This role has specific focuses on application security, vulnerability scanning, vulnerability validation, vulnerability scan outputs, strong coding experience and the tools and methodologies utilized within the program. The Engineer partners with suppliers for product consideration, proof of concepts, and solution recommendations. The Engineer ensures security best practices are enforced, mentors team members, and provides consultative services to teams and stakeholders to improve the vulnerability management of their environments. The Engineer is expected to lead the team, strategize security measures, and manage security risks at an organizational level.
The role of every Application Security Team member is to support the overarching values and business goals of Costco, including meeting legal, ethical, and regulatory obligations; protecting member, employee, and supplier privacy; and ensuring a technologically secure operating environment.
If you want to be a part of one of the worldwide BEST companies “to work for”, simply apply and let your career be reimagined.
ROLE
● Provides security and technical expertise to support the development of security objects to satisfy business requirements.
● Analyzes and administers security policies to control physical and virtual system access.
● Identifies and investigates security issues and develops security solutions that address compliance requirements that
● can/do impact security.
● Identifies, develops, and implements mechanisms to detect security incidents in order to enhance compliance and support of the security standards and procedures.
● Assesses business role requirements, reviews authorization roles, and supports authorizations.
● Validates system configurations to ensure the safety of information systems assets and protects information systems from intentional or inadvertent access or destruction.
● Identifies security gaps that expose Costco to potential exploit and develop short-and long-term prioritized remediation to address those gaps.
● Determines strategy and protocol for network behavior, analysis techniques, and tool implementation.
● Identifies and resolves problems often anticipating issues before they occur or before they grow; develops and evaluates options; and implements solutions that support the business.
● Provides subject matter expertise in systems security policies, standards/practices, protocols, and technologies.
● Configures, deploys, maintains, and supports security tools.
● Creates dashboards, configures alerts, implements and supports security software platforms, and monitors tools/apps.
● Identifies opportunities for streamlining, and increasing effectiveness through continuous process improvement.
● Develops and documents security events and incident handling procedures into Playbooks.
● Ensures that incident documentation is comprehensive, accurate, and complete.
● Works with internal and external auditors.
● Designs, configures and maintains various degrees of security.
● Researches, reproduces, and responds to security vulnerabilities reported through Costco’s bug bounty program.
● Performs in-depth analysis of new vulnerability classes.
● Develops team vision to drive new capabilities against a published roadmap, in conjunction with management.
● Formulates and directs activities that align short-term goals and long-term initiatives while providing accurate and timely estimates of work breakdown schedules.
● Influences and drives adoption of best practices and high-quality standards throughout the division.
● Integrates diverse solution components across multiple platforms using industry standard interfaces.
● Optimizes team efficiency and performance through high-level technical direction.
● Provides technical leadership in implementation of applications, strategic planning sessions, documentation of requirements, tool implementation, database query languages, and programming languages.
● Presents technical designs and solutions to executives, management, and other audiences to gain consensus and/or project approval.
● Serves as a subject matter expert for application security, vulnerability management, and vulnerability scanning.
● Supports and consults with product and development teams in the area of application security.
● Assesses applications for vulnerabilities in web UIs, mobile applications, and APIs.
● Provides manual application secure code reviews.
● Works analytically to solve both tactical and strategic problems within the vulnerability management program.
● Identifies attack surface reduction opportunities through vulnerability data analysis from enterprise custom and COTS applications.
● Identifies opportunity for process and personnel improvement to mature the vulnerability management program.
● Contributes as an active member of the Threat Exposure Management team; participates in team activities and planning in regards to improving team skills, awareness, communication, reputation, and quality of work.
● Collaborates and communicates with Compliance, Internal Audit, Business teams, and others to identify, analyze, and communicate risk; provides support around vulnerability management within their business requirements.
● Coordinates with the Incident Response team to remediate security incidents as needed.
● Understands compliance requirements that may impact security, and effectively collaborates with business areas and project teams to develop security solutions that address requirements.
● Advocates for compliance and security measures, both internally and externally, to protect corporate applications and environments.
● Works with information systems owners and administrators to understand their security needs and assists with implementing best practices and procedures consistent with Costco’s security policies.
● Maintains current knowledge of industry trends and standards; proactively pursues professional growth in the areas of technology, business knowledge, and Costco policies and platforms.
REQUIRED
● 3+ years’ experience in security in an enterprise environment.
● 1+ years’ experience with Azure, GCP or another cloud service.
● 1+ years’ experience with applying penetration testing techniques for vulnerability validation, vulnerability management, attack methodologies, forensics analysis techniques,Cyber Threat Emulation operations, identification and verification of new APT tactics, techniques, and procedures.
● Ability to ramp up and understand new designs, systems, and technology.
● Understanding of software development lifecycle and integrating application security into a CI/CD pipeline.
● Experience with vulnerability management processes including scanning, reporting, and remediation planning.
● Knowledgeable in remediation activities at the code or script level, including fixing vulnerabilities or defects.
● Experienced in revision control systems and the agile process using ADO, Git, or similar code repository functions (Pull, Fetch, Push, Sync).
● Experience working on mobile programming languages, development practices, and common bug patterns.
● Familiar with application vulnerability/security frameworks and standards such as OWASP Top 10, SANS Top 20, CVE, CWE, CVSS, etc.
● Demonstrates strong verbal and written communication skills.
● Ability to clearly communicate Information Security matters to executives, auditors, end users, analysts, peers, and engineers, using appropriate language, examples, and tone.
● Experience identifying and validating security requirements for software.
● Experience working with software development teams.
● Realistic outlook that understands security problems as a balance of both security and business needs.
● Demonstrated logical and structured approach to time management and task prioritization in support of team work goals.
● Strong analytical skills, documentation skills, and awareness of change management; ability to adapt to changing priorities.
● Strong collaborative mindset and able to function as a contributing member of the team.
● Ability to handle highly confidential information in a strictly professional manner.
● Scheduling flexibility to meet the needs of the business.
● Ability to communicate technical information clearly to peers and other teams.
Recommended
● 2+ years’ experience in a security engineering role in an enterprise environment.
● 2+ years’ experience in a software engineering or DevOps role in an enterprise environment.
● Experience with one or more scripting or development languages such as Java, C++, Python.
● Experience coding, implementing custom software solutions, and supporting them in production environments.
● Strong code review experience.
● WAF rules, PenTest knowledge will be plus.
● Knowledge about application security testing tools, such as SAST, SCA, DAST will be an advantage.
● General cloud knowledge.
● Familiarity with Kanban or agile continuous improvement methodologies.
● Experience developing and reporting enterprise level metrics.
Required Documents
● Cover Letter
● Resume
California applicants, please click here to review the Costco Applicant Privacy Notice.
Pay Range: $150,000 - $190,000, Bonus and Restricted Stock Unit (RSU) eligible
We offer a comprehensive package of benefits including paid time off, health benefits - medical/dental/vision/hearing aid/pharmacy/behavioral health/employee assistance, health care reimbursement account, dependent care assistance plan, short-term disability and long-term disability insurance, AD&D insurance, life insurance, 401(k), stock purchase plan to eligible employees.
Costco is committed to a diverse and inclusive workplace. Costco is an equal opportunity employer. Qualified applicants will receive consideration for employment without regard of race, national origin, gender, gender identity, sexual orientation, protected veteran status, disability, age, or any other legally protected status. If you need assistance and/or a reasonable accommodation due to a disability during the application or the recruiting process, please send a request to IT-Recruiting@costco.com
If hired, you will be required to provide proof of authorization to work in the United States.
Tags: Agile APIs Application security APT Azure C CI/CD Cloud Compliance CVSS DAST DevOps Exploit Forensics GCP Incident response Java Kanban OWASP Pentesting Privacy Python SANS SAST Scripting SDLC Strategy Vulnerabilities Vulnerability management
Perks/benefits: Career development Equity / stock options Health care Insurance Salary bonus Startup environment Team events
More jobs like this
Explore more career opportunities
Find even more open roles below ordered by popularity of job title or skills/products/technologies used.