Job Description
- Familiarity with Veracode DAST, SAST, and SCA specifically.
- Experience working in Agile or DevSecOps environments.
- Exposure to other languages and frameworks, such as Java, PHP, Python, Ruby, or TypeScript.
- Relevant certifications such as CSSLP, GWAPT, GWEB, or OSWE.
- Partner with development teams to remediate vulnerabilities identified by DAST, SAST, and SCA scans.
- Review, triage, and prioritize findings based on business risk.
- Provide secure coding guidance and best practices to developers.
- Assist developers in debugging and fixing vulnerabilities within C# and JavaScript codebases.
- Collaborate with Application Security and DevOps teams to integrate security into the SDLC.
- Track and report remediation progress to stakeholders and leadership.
- Participate in code reviews and recommend design improvements to reduce security risk.
- Stay current on emerging security threats, vulnerabilities, and industry best practices.
- Proficiency in C# and JavaScript with hands-on experience debugging and fixing vulnerabilities in web applications.
- Understanding of secure coding practices, OWASP Top 10, SANS Top 25, PCI DSS, and common web application vulnerabilities.
- Experience working with at least one application security testing tool (e.g., App Scan, Burp Suite, Check Marx, Veracode, ZAP, or similar).
- Knowledge of cloud-native security, especially Azure or AWS environments.
- Hybrid work flexibility
- Comprehensive healthcare benefits
- Financial wellness programs
- Cultural celebrations
Position Overview
The position will report to the Head of Application Security and work in collaboration with application development teams to remediate security vulnerabilities identified through application security testing, as well as findings from third party penetration testing. You will serve as a bridge between security and development, providing hands-on guidance, secure coding recommendations, and technical expertise to ensure our applications remain secure and compliant.
This position is ideal for a software engineer with strong C# and JavaScript experience who is passionate about security and enjoys collaborating with others to improve the overall security posture of our applications.
Job Responsibilities
1. Partner with development teams to remediate vulnerabilities identified by DAST, SAST, and SCA scans, as well as third-party penetration tests.
2. Review, triage, and prioritize findings to ensure timely resolution based on business risk.
3. Provide secure coding guidance and best practices to developers across multiple teams.
4. Assist developers in debugging and fixing vulnerabilities within C# and JavaScript codebases.
5. Collaborate with Application Security and DevOps teams to integrate security into the SDLC.
6. Track and report remediation progress to stakeholders and leadership.
7. Participate in code reviews and recommend design improvements to reduce security risk.
8. Stay current on emerging security threats, vulnerabilities, and industry best practices.
Qualifications
Required
- 3+ years of experience in software engineering, application development, or application security.
- Proficiency in C# and JavaScript with hands-on experience debugging and fixing vulnerabilities in web applications.
- Understanding of secure coding practices, OWASP Top 10, SANS Top 25, PCI DSS, and common web application vulnerabilities.
- Experience working with at least one application security testing tool (e.g., App Scan, Burp Suite, Check Marx, Veracode, ZAP, or similar).
- Strong problem-solving and analytical skills with the ability to break down complex findings.
- Excellent collaboration and communication skills for working effectively with developers and cross-functional teams.
- Knowledge of cloud-native security, especially Azure or AWS environments.
Preferred
- Familiarity with Veracode DAST, SAST, and SCA specifically.
- Experience working in Agile or DevSecOps environments.
- Exposure to other languages and frameworks, such as Java, PHP, Python, Ruby, or TypeScript.
- Relevant certifications such as CSSLP, GWAPT, GWEB, or OSWE (a plus, not required)
