Junior Application Security Engineer at iHerb
The Junior Application Security Engineer executes routine information security operations activities related to deploying, monitoring, analyzing, improving and troubleshooting a Secure Systems Development Life Cycle (S-SDLC) and resulting first-party application. With guidance from management and senior staff, supports the implementation of appropriate application and information security procedures and products. Assists senior staff in the evaluation, development, implementation and operational aspects of security standards, procedures and guidelines for multiple platforms and diverse systems environments.
Assist in threat modeling, scanning, and testing of Web, API’s and Native Applications.
Manage remediation of any findings from internal or external assessments.
Assist in utility and script development to improve automation
Integrate and support security tools (e.g., DAST, SAST, SCA, etc.) in the delivery pipeline and the S-SDLC process.
Monitor and Maintain Application Security training and related awareness campaigns: Champion the Security & Privacy Awareness Program for Application Development
Support our compliance programs (such as PCI) by helping implement and document controls, examining evidence for compliance to standards and perform recurring pen-tests of applications in scope.
Knowledge, Skills and Abilities:
Ability to work in a fast paced, rapidly changing environment and a strong desire to learn
Strong knowledge of OWASP Top 10 (2013 and/or 2017 Version) vulnerabilities and mitigation strategies
Familiarity with Linux/Unix
Familiarity with DevOps CI/CD pipelines and software (eg. Jenkins)
Conceptual knowledge of software design patterns (eg. MVC)
A working knowledge of application security practices and concepts including intrusion detection/ prevention, authentication, authorization and access controls, risk analysis, vulnerability mitigations, code integrity, and data encryption
Understanding of common protocols and concepts related to application (eg HTTP, REST API, SOAP API, SAML, OAuth)
Understanding of PCI-DSS and EU GDPR
Knowledge researching, analyzing and recommending information security solutions
High degree of accuracy and attention to detail
Excellent organization skills and ability to multitask
2+ years experience within application security or software development
Experience with various tooling in the Application Security space
Some experience in offensive security / penetration testing of applications
Some experience in software development
Experience identifying, assessing, and remediating technical security vulnerabilities
Strong organizational, excellent written, verbal and interpersonal communication skills are needed to work effectively with a wide variety of staff, outside consultants and vendors.
Bachelor’s Degree or higher in Information Technology, Information Security, Computer Science, or a related field strongly preferred. A demonstrable strong experience may be considered as a replacement for a college degree.
Advanced industry certification strongly desired, e.g. SANS GIAC (CEH - Certified Ethical Hacker or GXPN - Exploit Researcher and Advanced Penetration Tester, are preferred), Offensive Security Certified Professional (OSCP), Offensive Security Web Expert (OSWE), CompTIA Security+, CISSP,...