Application Security Engineer at iHerb
- Perform threat modeling, design reviews and code reviews of new Web, API’s and Mobile Applications.
- Manage remediation of any findings from internal or external assessments.
- Integrate security tools (e.g., DAST, SAST, SCA, etc.) in the delivery pipeline and the S-SDLC process.
- Assist in the review, monitoring and/or auditing of applicable daily Security Log Activity and Events. Take action as necessary; escalate to senior staff if required.
- Monitor and Maintain Application Security training and related awareness campaigns: Champion the Security & Privacy Awareness Program for Application Development
- Support our compliance programs (such as PCI) by helping implement and document controls, examining evidence for compliance to standards and perform recurring pen-tests of applications in scope.
- The duties and responsibilities described above may provide only a partial description of this position. This is not an exhaustive list of all aspects of the job. Other duties and responsibilities not outlined in this document may be added as necessary or desirable, with or without notice.
Knowledge, Skills and Abilities:
- Ability to work in a fast paced, rapidly changing environment and a strong desire to learn
- Deep knowledge of OWASP Top 10 (2013 and/or 2017 Version) vulnerability detection and mitigation
- Knowledge of common scripting and application development languages (e.g. PowerShell, C#, Python, T-SQL etc.) and/or the ability to learn is required
- Demonstrate an understanding of key IT operational policies, processes and methodologies applicable to governance, risk management and compliance
- Understanding of PCI-DSS, EU GDPR and CCPA
- Knowledge researching, analyzing and recommending information security solutions
- Knowledge of, experience in Key Management Administration for encryption keys and secrets
- A working knowledge of information security practices and concepts including intrusion detection/ prevention, access controls, risk analysis, vulnerability scanning, and data encryption
- High degree of accuracy and attention to detail
- Excellent organization skills and ability to multitask
- Strong knowledge of information systems and networking is required, at least on a conceptual level.
- 5+ years experience with application and network security
- Experience with various tooling in the Application Security space
- Experience identifying, assessing, and remediating technical security vulnerabilities
- Strong organizational, excellent written, verbal and interpersonal communication skills are needed to work effectively with a wide variety of staff, outside consultants and vendors.
- Bachelor’s Degree or higher in Information Technology, Information Security, Computer Science, or a related field strongly preferred. A demonstrable strong experience may be considered as a replacement for a college degree.
- Advanced industry certification strongly desired, e.g. SANS GIAC (CEH - Certified Ethical Hacker or GXPN - Exploit Researcher and Advanced Penetration Tester, are preferred), Offensive Security Certified Professional (OSCP), CompTIA Security+, CISSP.