Application Security - Engineer IV

JOB DESCRIPTION

Condé Nast is a global media company, home to iconic brands including Vogue, The New Yorker, GQ, Glamour, AD, Vanity Fair and Wired, among many others. The company's award-winning content reaches 84 million consumers in print, 367 million in digital and 379 million across social platforms, and generates more than 1 billion video views each month.

The company is headquartered in London and New York, and operates in 32 markets worldwide, including China, France, Germany, India, Italy, Japan, Mexico & Latin America, Russia, Spain, Taiwan, the U.K. and the U.S, with local licensed partners across the globe.

The Cyber Security Team provides the security services that underpin Conde Nast’s security posture and enhance the organisation's security profile. The Cyber Security Team is responsible for; Information Security and Cyber Risk management, Security Operations and the global SOC, Security Architecture and Application Security as well as Security Engineering. This role sits within the Cyber Security team reporting into the Security Architecture and Engineering Manager and provides the team with application security expertise that will allow the team to fully engage with the Development and Engineering teams and work with them to embed security into their development lifecycle. The successful candidate will own and manage Cyber Security relationships with key stakeholders within the Platform, Development and Engineering teams.

Conde Nast employs a large development team that develops around 250 products or services across the business which are predominantly consumed by our customers across the globe. As such we have a massive focus on ensuring all products we build and develop are done so securely.

We are seeking someone who is an SME in the areas of Application Security and DevSecOps and has worked in a lead role within a global organisation for a number of years.

The candidate will ideally come from a development background and will have demonstrable expertise in Application Security, DevSecOps, S-SDLC and relevant CI/CD methodologies.

The applicant will act as the lead on all Application Security initiatives as well as initiatives which support securing the overall development lifecycle.

They will use their expertise to identify security gaps in our current application development lifecycle and processes and propose remedies to improve security throughout the lifecycle. Additionally they will support with recommendations to shift security left such as to support us to operate in a truly dedicated DevSecOps manner.

The applicant should have an understanding of Application Threat modelling methodologies and will have experience of performing Threat modelling having previously used various tools in performing these.

The applicant should look to actively promote adoption and use of such methodologies and ensure security requirements are understood and embedded into the development lifecycle.

Duties:

• Work collaboratively with Product, Engineering and Global Architecture teams to identify vulnerabilities at the design stage.
• Engage regularly with development teams to discuss any security concerns relating to products or applications.
• Act as an SME on application vulnerabilities and support with detailing remediation steps to developers. Provide advice where required to assist with remediation.
• Perform manual testing to ascertain whether vulnerabilities are true positives and validate automated test scan results if required.
• Administer and maintain our SCA, SAST, IaC, Container and DAST security solutions, ensuring tooling is fit for purpose and providing value, as well as new features are being utilised.
• Support with onboarding development teams onto security tooling and integrating tools into their CI/CD pipeline, ensuring their applications are regularly being scanned for vulnerabilities.
• Drive security improvements and enhancements within the products and applications Conde Nast develops.
• Identify gaps in our application security controls and make recommendations for improvements to tooling or processes to resolve the gaps and improve security.
• Support with Code Reviews/Analysis. Knowledge of Java, Java Script and NodeJs is essential.
• Support with arranging third party penetration testing against key applications or services.
• Provide business stakeholders and the GRC team with reporting on application vulnerabilities and KRI’s across our application portfolio.
• Develop and maintain all documentation for our Application Security Tooling, including processes and procedures for onboarding and offboarding teams and utilising tools in general.
• Regularly update and maintain our Application Security standards, best practices and guidelines within Confluence to ensure developers have a central location to reference.

Required Skills:

To be successful, the candidate will need to have and demonstrate the following knowledge, skills and experience, along with a proactive focused attitude;

• Minimum 5 years experience in Application Security and Engineering.
• Minimum 5 years experience in Secure Development Lifecycle
• Thorough knowledge of CI/CD and DevSecOps principles.
• Awareness of application security flaws and web application best practices (e.g. OWASP Top 10, CWE SANS Top 25)
• Understanding of STRIDE, or other Threat modelling or applicable methodologies
• Experience of working in a geographically dispersed organisation with varied stakeholders.
• Experience of implementing security within a DevOps environment i.e. adopting a shift-left approach within Application Security.
• Knowledge of cloud and containers essential (Kubernetes, AWS, Docker, AWS EKS)
• Experience of having worked with GitHub and GitHub actions is essential.
• Experience of using Static and Dynamic Code Analysis tools (Snyk and Rapid 7 AppSec are beneficial)
• Awareness and experience of the NIST framework and PCI-DSS Standard.
• Experience of container vulnerability scanning or securing containers.
• Experience of programming / development technologies, (this will be tested at interview)
• Experience of AWS WAF implementation and AWS services in general.
• Good communication, presentation and written language skills.
• Knowledge of development methodologies e.g. Agile

Educational Qualifications:

• BS Computer Science or similar qualification
• Application Security certifications (CEH, CASE, CSSLP or similar)