Are you a highly skilled cybersecurity application security professional that has a passion to secure web and mobile applications? Use your expertise to help us craft the next generation of our application security program. You will work closely with our cybersecurity teams, application development teams, and operations teams conducting security testing, penetration testing, purple teaming, and breach / attack simulation. Help us re-think what it means to be a secure insurance provider delivering capabilities in a fast-changing, highly competitive market.
Your day could include and experience we would like to see:
Education, Certifications and nice to have:
- Perform penetration testing and secure code testing activities
- Provide tactical and strategic guidance and detailed remediation advice aimed at helping clients achieve strong security postures
- Consult with development teams and provide them with information about application security and secure development lifecycle processes
- Automated testing in a DevSecOps process (Static Application Security Testing SAST, Dynamic Application Security Testing DAST, and other technologies as necessary into the overall SSDLC process design.
- Managed real time application protection software and web application firewalls to provide proactive prevention of known attacks
- Track and monitor current and trending practices in software engineering, DevOps and application security
- Assist with the development and operational aspects related to purple teaming and breach / attack simulation, advanced our capabilities to both detect and prevention known attacks while mapping those activities to the MITRE Telecommunication&CK Framework
- Obtain and evolve technical expertise, certifications, and industry credentials through formal and informal training and other educational initiatives
- Must have 3+ years of experience in application/network/web/mobile penetration testing and tooling, purple team, or application security engineering and architecture, preferably in a large and distributed operating environment
- Demonstrated expertise in Application Security, specifically web and mobile application security, configurations, vulnerability assessments
- Professional experience with any of the following: Java, .NET, AWS, Functional programming, SQL, MongoDB, CouchDB, Neo4J, Hadoop, Cassandra, DynamoDB, ElasticSearch, Solr
- Expert knowledge of OWASP Top 10 and ability to articulate web security risks
- Knowledge of automated DAST, SAST, and RASP tooling is preferred, including but not limited to OWASP Zed Attack Proxy, BURP Suite, Nessus, Metasploit, Postman, Client WebInspect, Qualys, or WhiteHat
- Operational understanding of TCP/IP and computer networking. Knowledge of the functions of security technologies such as IPS/IDS, Firewalls, Security Information and Event Management tools, etc is a plus
- Possession of industry standard certifications such as OSCP, CEH, GWAPT, GPEN and/or other relevant penetration testing related certifications is a plus
- Knowledge of SDLC, Agile, Waterfall, or Scrum
- Information Security, Security Testing and/or Risk Analysis Experience
- A broad understanding of the terminology, core principles, IT controls and best practices across key risk domains, including: risk assessment methodology, identity and access management, network and infrastructure security, application security, data loss prevention, and incident management
- Self-motivated team player with the ability to handle multiple work streams and support various team member collaborative projects to completion
- Proven excellent relationship management skills with all levels of the enterprise are required.
- Ability to effectively collaborate across teams