Application Security Lead

Calix provides the cloud, software platforms, systems and services required for communications service providers to simplify their businesses, excite their subscribers and grow their value.

Role Description
The Application Security Specialist should have at least 8-10 years of experience in Application Security domain and engaging with Architects, Technical Leads, Security Champions from Development teams to ensure the security and privacy needs are considered well in advance during the product development cycle.
In this role, you will be responsible for analysing the security of applications and services, vendor-provided solutions, discovering and addressing security issues, building security automation, and quickly reacting to new threat scenarios. You will design and develop process and workflow to perform dynamic application security testing (DAST) assessment on networks, host, cloud and mobile applications.

Roles & Responsibilities

• Subject Matter Expertise - Act as SME and provide technical leadership to AppSec domain mainly Host level Security, Fuzz Testing, Web Applications and API Security with Pen Test knowledge. Support SCA and DAST scan operations include scoping, Scan Setup, Scan Validation and post-scan activities like prioritization & reporting.
• Vulnerability Management - Conduct regular vulnerability scans and assessments across the organization’s product landscape. Analyze vulnerabilities and threats, providing detailed insights that enable proactive risk reduction, determine their potential impact, and ensuring compliance with industry standards
• Tools Engg  – Deploy and manage SCA / DAST / FUZZ Security Tools which may include configuration and deployment of tools along with plugin / test suite deployment for specific set of vulnerabilities. Work with the product teams to finalize the API contracts and SUT details for every release for testing.
• Security Posture - Work with Product Security leadership to mature the Application Security Posture Management (ASPM) including reporting and remediation guidance in alignment with regulatory requirements. Ability to identify security gaps / deficiencies and recommend corrective action of identified vulnerabilities and weaknesses.
• Vendor Management - Communicate with vendors on scan performance, Scan configurations, false positive analysis, feature requests, version upgrades, etc. Monitor vendor communities for latest updates on troubleshooting tools / issues and open support queries with the vendor as necessary.

Qualifications:

• 8-10 years' Application Security experience with a minimum of 6 years of experience in SCA / DAST tools such as Burp Suite, Netsparker Invicti, Snyk, etc.
• Hands-on experience in testing web applications, APIs, mobile applications to identify vulnerabilities and weaknesses.
• Build and Maintain Integrations for DevSecOps utilizing SCA tool and SCM with planned cadence along with configuring the policy violation alerts both from license as well as security viewpoint.
• Experience in managing exceptions, risk register and make recommendations to Security Requirements. Knowledge of managing end of life or obsolete component disposal would be a plus.
• Knowledge of coding vulnerabilities, frameworks, patching processes, Information Security risk and industry best practices, defence concepts, risk-based assessment approach
• Knowledge of OWASP Top 10, SANS Top 25 to identify vulnerabilities via manual and automated tests along with capability to effectively remediate the same.
• Understands the principles of secure coding techniques and secure code reviews, code scanning software and vulnerability code scanning processes, network protocols and connectivity.
• Working knowledge of other security domains like Cryptography, Identity and Access Management, Threat and Vulnerability Management is desirable.
• Develop processes and improvements around toolsets along with technical guides / documentation for toolset features and best practices
• Exposure to Hardware and Firmware Analysis like reverse engineering for decoding binaries / messages and related tools
• Lead fuzz testing activities by implementing custom fuzzers using industry standard tools & frameworks like OSS-Fuzz, LibFuzzer, etc to effectively unearth vulnerabilities and bugs in software components.
• Deep knowledge of CVE, CWE, CVSS, and common vulnerability classes.
• BA/BS degree in computer science, engineering, or information security. Desirable - one or more security certifications: CEH, CISM, CISSP
• Must have excellent verbal, written and presentation skills. Ability to work in a fast paced and highly collaborative environment.