Application Security Engineer (Flexible/Remote)
Check out pictures from associates at this location, and some videos too!
Job Number 190012GI
Job Category Information Technology
Location Marriott International HQ, 10400 Fernwood Road, Bethesda, Maryland, United States VIEW ON MAP
Position Type Management
Start Your Journey With Us
Performs security application source code reviews, application vulnerability testing and application threat assessments. Leverages advanced tools, methods and approaches to demonstrate weaknesses in applications. Responsible for assuring developers and technical personnel address application security issues in a timely fashion. Will routinely collaborate with different security team members including, but not limited to: architecture, infrastructure, network, compliance and incident response.
Education and Experience
- Bachelor’s degree in Computer Science or related field or equivalent experience/certification
- 3+ years working as a frontend or backend software developer
- Has written, tested and deployed at least one revenue generating web application
- Has worked as a developer on a team consisting of 5 or more software developers
- Expert level knowledge of at least one compiled programming language
- Expert level knowledge of at least one interpreted programming language
- Ability to write a software specification
- Knows how to perform an application stress test
- Ability to conduct independent research
- Strong understanding of HTML, HTTP, JSON, and XML
- Understanding of web service implementation paradigms (REST, SOAP)
- Familiar with OWASP and the common flagship projects
- Basic understanding of Cryptography concepts: hashing, signing, symmetric/asymmetric encryption and decryption
- Basic understanding of network security concepts: DOS, DNS Spoofing, ARP Poisoning, Reverse Shells, Firewalls,
- Basic understanding of defensive programming and test-driven development
- Knows how to perform common application exploits: XSS, SQL Injection, UI Redressing, Directory Browsing, Log Forging
- Basic understanding microservice application architecture, software cohesion and software coupling
- Willing to write tools as necessary to perform day to day duties.
- Comfortable learning new programming languages as needed to conduct code reviews
- Current information security and/or software development certification, including Certified Secure Lifecycle Professional (CSSLP), Professional Software Engineering Master (PSEM), Certified Software Development Professional (CSDP), GIAC Secure Software Programmer (GSSP)
- Expert level knowledge static analysis tools and methods
- Expert level knowledge of dynamic analysis tools and methods
- Advanced knowledge software engineering concepts: GOF software design patterns, SOLID design principles (SRP, OSP, LSP, ISP, and DIP) and design methods (Scrum, XP, Lean, Waterfall)
- Strong understanding of, SAML, OAuth and OIDC
- Strong understanding of common cryptographic algorithms and libraries
- Experience with mobile application development on Android or iOS
- 2+ years working as full stack software developer
- 1+ years working in a software QA role.
- Comfortable with the following tools and technologies: Git, ZAP or BurpSuite, Postman, SoapUI, Jenkins, Artifactory, SonarQube, FindBugs, Docker, JIRA, Confluence,
- Evaluates applications for security flaws by performing fuzzing, access/authorization bypass, business logic abuse and intentional fault injection.
- Uses Static and Dynamic Analysis tools to support broad testing and vulnerability discovery.
- Reviews application architectures and implementation details for design flaws, incorrect security implementation and missing security controls.
- Works with other security team members to research and test for complex security issues.
- Consults with Software Engineers, Infrastructure Architects and Security Architects to correct application, architectural or environment flaws.
- Validates external security researcher bug bounty submissions.
- Works closely with service providers and external security support resources to schedule, track and manage outsourced security testing efforts.
- Creates and/or maintains threat models to communicate risks to engineers, project managers and other technical personnel.
- Ensures applications are built according to enterprise security standards.
- Works with development teams to review application source code for security and operational risks.
- Perform manual code reviews of applications that are not compatible with automated SAST tools.
- Provide detailed security documentation to developers, software engineers and technical personnel when necessary
- Provide guidance and recommendation to software architects and engineers on how to correct code related security flaws
- Participate in peer reviews of security assessments created by other team members.
- Manage tickets and SLA’s associated with security testing efforts.
- Maintain the enterprise SSDLC standard.
- Communication - Conveys information and ideas to others in a convincing and engaging manner through a variety of methods.
- Leading Through Vision and Values -Keeps the organization's vision and values at the forefront of employee decision making and action.
- Managing Change -Initiates and/or manages the change process and energizes it on an ongoing basis, taking steps to remove barriers or accelerate its pace; serves as role model for how to handle change by maintaining composure and performance level under pressure or when experiencing challenges.
- Problem Solving and Decision Making - Identifies and understands issues, problems, and opportunities; obtains and compares information from different sources to draw conclusions, develops and evaluates alternatives and solutions, solves problems, and chooses a course of action.
- Professional Demeanor - Exhibits behavioral styles that convey confidence and command respect from others; makes a good first impression and represents the company in alignment with its values.
- Strategy Execution– Ensures successful execution across of business plans designed to maximize customer satisfaction, profitability, and market share through effective planning, organizing, and on-going evaluation processes.
- Driving for Results - Sets high standards of performance for self and/or others; assumes responsibility for work objectives; initiates, focuses, and monitors the efforts of self and/or others toward the accomplishment goals; proactively takes action and goes beyond what is required.
- Customer Relationships - Develops and sustains relationships based on an understanding of customer/stakeholder needs and actions consistent with the company’s service standards.
- Global Mindset - Supports employees and business partners with diverse styles, abilities, motivations, and/or cultural perspectives; utilizes differences to drive innovation, engagement and enhance business results; and ensures employees are given the opportunity to contribute to their full potential.
- Strategic Partnerships -Develops collaborative relationships with fellow employees and business partners by making them feel valued, appreciated, and included; explores partnership opportunities with other people in and outside the organization; influences and leverages corporate and continental shared services and/or discipline leaders (e.g., HR, Sales & Marketing, Finance, Revenue Management) to achieve objectives; maintains effective external relations with government, business and industry in respective countries; performs effectively as a liaison between locations, disciplines, and corporate to ensure needed resources are received and corporate strategies are understood and executed.
Generating Talent and Organizational Capability
- Developing Others -Supports the development of other’s skills and capabilities so that they can fulfill current or future job/role responsibilities more effectively.
- Organizational Capability - Evaluates and adapts the structure of assignments and work processes to best fit the needs and/or support the goals of an organizational unit.
- Continuous Learning - Actively identifies new areas for learning; regularly creates and takes advantage of learning opportunities; uses newly gained knowledge and skill on the job and learns through their application.
- Technical Acumen - Understanding and utilizing professional skills and knowledge in a specific functional area to conduct and manage everyday business operations and generate innovative solutions to approach function-specific work challenges