Web Application Firewall (WAF) Engineer

We are seeking a highly motivated and experienced Web Application Firewall (WAF) Engineer (Akamai preferred) to join our established security team. In this role, you will be responsible for all aspects of our WAF deployment, including design, implementation, configuration, optimization, and ongoing maintenance. You will work closely with other security and engineering teams to ensure the protection of our web applications from evolving cyber threats. You will be leaned on to liaise with other engineering teams to integrate the WAF solution seamlessly on premise and in the cloud.

Primary Accountabilities

Technical (80%)

• Monitoring: Monitor the usage, performance and availability of the web application firewall (WAF) infrastructure and services.

• Design:  Maintain a comprehensive understanding of WAF design concepts, including managed rules, shared objects, exclusions and routing rules

• Configure: You will be primarily responsible for the configuration, deployment and maintenance of web application firewall (WAF) deployments  

• Administration: Monitor and troubleshoot for security impact on performance and connectivity issues.

• Compliance: Ensure compliance with security best practices and organizational policies.

• Collaborate: Develop relationships and collaborate with cross-functional teams to deliver scalable and efficient security solutions.

• Documentation: Document WAF configurations, deployments, standards and best practices

• Policy Contribution: Collaborate with policy stakeholders to develop and enforce WAF protection

• Continuous Improvement: Stay current with industry trends and advancements in WAF technologies and continuously integrate learnings into our standards and practices 

• Incident Response: Collaborate with the incident response team as part of the CSIRT (cyber security incident response team) to support DFIR operations, e.g. applying virtual patches and rules to address emerging threats

• Education: Bachelor’s degree in computer science, Information Security, or a related field (or equivalent experience)

• Certifications: One or more of the following: CCNA, CCNP, CCIE, Azure Security Engineer Associate, AWS Certified Security Specialty, Google Cloud Security Professional, GWEB, GWAPT

• Experience: 

  • Design, deploy, configure, and maintain WAF solutions to protect our web applications from various attacks, including OWASP Top 10 and Zero-Day vulnerabilities

  • Collaborate with application development teams to transition their apps behind the WAF. Then provide ongoing support as application design changes necessitate

  • Stay up to date on the latest WAF technologies, threats, and best practices

  • Participate in security assessments and penetration testing activities

  • Document WAF configurations, policies, and procedures and also create and maintain technical documentation

  • Assist with onboarding and training junior security engineers

  • 3-5 years of experience in information security and 2-3 years in Web Application Security

  • In-depth knowledge of WAF technologies and solutions (e.g., Akamai, AWS WAF, F5 BIG-IP WAF, Imperva Secure Sphere, Cloud flare WAF)

  • Strong understanding of web application security concepts (OWASP Top 10, Structured Query Language (SQL) Injection, XSS, etc.)

  • High level understanding of web application technologies, e.g. HTTP, HTML, common web programming languages, Caching and Content Delivery Networks (CDNs)

  • Experience with network security concepts (firewalls, intrusion detection/prevention systems)

  • Experience using threat intelligence (CTI) and attacker tactics, techniques and protocols (TTP) (like MITRE ATT&CK and/or D3FEND) to inform architecture, design and configurations

  • Ability to write code in common programming languages, e.g. Python

  • Strong analytical and problem-solving skills with an ability to assimilate, analyze, and correlate large amounts of forensic data from various network and security devices, logs, and alerts

  • Experience in handling web application protection for a large enterprise network or service provider network

  • Experience in industry standards that are relevant to our line of business, such as NIST CSF, ISO 27001, Health Insurance Portability and Accountability Act (HIPAA), HITRUST, Payment Card Industry Data Security Standard (PCI DSS)

  • Infrastructure as Code (IaC) experience with terraform, ansible, AWS CloudFormation or similar.

  • Strong understanding of DNS, DHCP, routing, and IP addressing in cloud environments.

Project Management (20%)

• Work with IT shared services, DevOps and application development teams to ensure secure network architecture and configuration

• Educate and train engineering and IT teams.

• Evaluate client needs, coordinate design for a solution, and clearly communicate the value proposition of complex and highly technical cyber security subjects.

Individual Competencies:

• Integrity: Gains the trust of others through a strong commitment to security, compliance, taking responsibility for your own actions and telling the truth. 

• Teamwork: Builds relationships and works cooperatively with others, inside and outside the organization, to accomplish objectives to build and maintain mutually-beneficial partnerships, leverage information and achieve results.

• Adaptable: Responds to change with a willingness to learn new ways to accomplish work objectives with a positive attitude.

• Innovative: Ability to develop, sponsor, or support the introduction of new and improved methods, products, procedures or technologies.

• Curious: A desire to inquire and learn, to seek new knowledge and wisdom, and to listen to the contributions of others with a genuine interest to better self, the team, and the organization.

• Analytical and Critical Thinking:  Ability to tackle a problem by using a logical, systematic, sequential approach.

• Problem Solving: Gathers and analyzes information to generate and evaluate potential solutions to problems, issues and challenges while weighing the accuracy and relevance of the facts, data and information.

We are an Equal Opportunity Employer, including disability/vets.