Full-Time Application Offensive Security Lead (Associate Director) (ID-5067)
Job Description
JOB DESCRIPTION:
- The Associate Director of Application Offensive Security Lead is responsible for leading, providing technical direction and strategy on all the matters related to above mentioned functions Application Offensive Security testing, AppSec Threat modeling, Manual Secure code review, and Threat hunting, Cloud and Containers.
- You will build, operate, and optimize the capabilities by combining the Application Offensive Security testing, Threat Modeling, Manual secure code review, and Advance Threat hunting techniques.
- You will be responsible for performing the Threat modeling and assess the Threats at design stage and perform manual secure code reviews to assess the code level security risks which cannot be identified by automated scanners and perform advance threat exploit techniques to prove the vulnerabilities with evidence in pre-production environment.
RESPONSIBILITIES:
- Sets strategy, provide technical direction to the Application Offensive Security team to run capabilities like AppSec Red team assessment/offensive security testing, Application Threat modeling, Manual secure code review, Advance Threat hunting techniques and Container security.
- Run day to day operations including Performing AppSec Threat modeling on our application design architectures, Manual secure code review of in-house developed and advance penetration testing techniques to identify the vulnerabilities which cannot be reported by automated SAST & DAST scanners.
- Lead a robust team of AppSec Consultants and AppSec Specialists and coordinate with various partners and vendors as part of AppSec ecosystem.
- Generate reports on assessment findings and summarizes to facilitate remediation, Document technical issues identified during security assessments applying standard CWE and CVSS classifications.
- Defines and supervises application vulnerability and coverage KPIs/metrics to demonstrate assessment coverage and remediation efficiency.
- Collaborate with Security Architects, Product Manager, Risk Managers, and other teams to deliver high quality products.
- Interacts with senior management on matters where they may need to gain acceptance on an alternate approach.
- Cultivate and manage relationships with key partners at varying organizational levels.
- Assist with executive communication to senior leadership teams on status of Application Offensive Security programs.
QUALIFICATIONS:
- At least 10 years of multifaceted IT experience, preferably in information security and related experience
- Bachelors’ Degree in related field and/or equivalent experience
- Domain specialist in several security technologies (depth) with ability to lead across enterprise Application security functions (breadth)
- Exposure to the Application Security Vulnerabilities (as listed in OWASP Top 10 and SANS Top 25), Security Testing methodologies and related tools such as Fortify, WebInspect, Burp Suite, Nexus and more.
- Programming experience with at least one of these skills: Java/J2EE, JavaScript, Python, etc. and experience in performing manual secure code review of popular web application programming languages (Java, JavaScript, Angular, Python etc.)
- Understanding of Authentication, Authorization mechanism programmatically across different web technologies and protocols (SSL/TLS, REST, OAuth, SAML etc.)
- Experience working with DAST, SAST, and Penetration testing tools.
- Experience with Application development build pipelines, automation, and CI/CD
- A broad and deep understanding of cybersecurity threats, vulnerabilities, controls, and remediation strategies
- Knowledge on large scale cloud-based services, Container security and very good understanding of security challenges involved in deploying Cloud and container applications.
- Experience in facilitating technical conversations between engineering and operations teams.
- Experience in leading global teams, remote employees and evaluating team member performance and offering career development mentorship.
- Excellent verbal and written communication skills
- Experience handling relationships with and addressing senior management.
- Ability to work under stress, multitask and be flexible.
- Strong planning and project management skills
- Highly desired – one or more of the following active certifications CSSLP, CISSP, OSCP, GIAC GPEN
The Associate Director of Application Offensive Security Lead is responsible for leading, providing technical direction and strategy on all the matters related to above mentioned functions Application Offensive Security testing, AppSec Threat modeling, Manual Secure code review, and Threat hunting, Cloud and Containers.
Build, operate and optimize the capabilities by combining the Application Offensive Security testing, Threat Modeling, Manual secure code review, and Advance Threat hunting techniques. Performing the Threat modeling and assess the Threats at design stage and perform manual secure code reviews to assess the code level security risks which cannot be identified by automated scanners and perform advance threat exploit techniques to prove the vulnerabilities with evidence in pre-production environment.
Lead a robust team of AppSec Consultants and AppSec Specialists and coordinate with various partners and vendors as part of AppSec ecosystem.
MUST HAVE:
At least 10 years of multifaceted IT experience, preferably in information security and related experience
Broad and deep understanding of cybersecurity threats, vulnerabilities, controls, and remediation strategies
Domain specialist in several security technologies (depth) with ability to lead across enterprise Application security functions (breadth)
Application Security Vulnerabilities (as listed in OWASP Top 10 and SANS Top 25), Security Testing methodologies and related tools such as Fortify, WebInspect, Burp Suite, Nexus and more.
Programming experience with at least one of these skills: Java/J2EE, JavaScript, Python, etc. and experience in performing manual secure code review of popular web application programming languages (Java, JavaScript, Angular, Python etc.)
Understanding of Authentication, Authorization mechanism programmatically across different web technologies and protocols (SSL/TLS, REST, OAuth, SAML etc.)
DAST, SAST, and Penetration testing tools
Application development build pipelines, automation, and CI/CD
Knowledge on large scale cloud-based services, Container security and very good understanding of security challenges involved in deploying Cloud and container applications.
NICE TO HAVE:
One or more of the following active certifications CSSLP, CISSP, OSCP, GIAC GPEN
ADDITIONAL INFORMATION:
Competitive compensation, including base pay and annual incentive.
Comprehensive health and life insurance and well-being benefits, based on location.
Pension / Retirement benefits
Paid Time Off and Personal/Family Care, and other leaves of absence when needed to support your physical, financial, and emotional well-being.
Includes a flexible/hybrid model of 3 days onsite and 2 days remote (onsite Tuesdays, Wednesdays and a third day unique to each team or employee).