• 5 years of relevant work experience
• Software development experience in a production environment
• A deep understanding of the application architecture
• A knack for finding flaws in software and can efficiently communicate how to fix them
• Strong communication skills and is accustomed to working closely with a product team
• Doesn’t always default to industry norms when solving a problem
• An ability to think like an attacker to develop threat models
• Has designed and implemented mitigations for common classes of bugs
• Five or more years’ experience in:
• Authentication (Identity management, MFA/2FA)
• Applied Cryptography (PKI, Appropriate usage of Cryptographic Primitives, Digital Signatures, HASHing, HMACs)
• Authorization (claims, RBAC, fine grained, coarse grained, XACML, OAUTH, SAML)
• Web Services Security (WS-Security, Oauth, JWT)
• Static Source Code Review Tools (e.g. Fortify, Appscan Source, Contrast, etc).
• Application Service Hardening (CIS, NSA/DOD STIGs)
• Coding experience in one or more general languages
• Certified Security Software Lifecycle Professional (CSSLP)
• Certified Information Systems Security Professional (CISSP)
• BA or BS in information security, engineering, computer science, or related areas. A Master’s degree in
an IT field is a plus, and a Master’s in cybersecurity is an even bigger plus.
• Mobile App development experience a plus
All IT benefits
• Develop techniques to ensure development teams find flaws before they are introduced into production
• Be a security subject matter expert and respond to any security development question
• Work with development teams to design solutions that are inherently secure
• Be a champion for simple security models
• Correctly balance security risk and product advancement
• Lead software security initiatives
• Lead or participate in threat modeling discussions
• Perform code deep dives to uncover security vulnerabilities or design
• Document findings and architectural issues for development and other security teams consumption
• Evaluate the security posture of existing applications
• Perform proactive research to detect new attack vectors and pentest internal and external apps