We have a current opportunity for a Security Engineer on a contract basis. The position will be based in London. For further information about this position please apply.
Security engineer - 6 Month contract - London
Cyber Programme is looking for a hands-on Application Security Engineer with deep expertise in security, specifically in the area of application security and development security, someone who has proven expertise working in large programs across globally distributed teams and is well versed in application security processes and procedures. The successful candidate should have several years hands-on experience working specifically on application security within development environments, preferably having come from a development background and should be well versed in using application security tooling. Ideally you will also have experience of various tools and solutions to embed security into the development lifecycle and support the overall development of a secure SDLC. You will have held similar roles with demonstrable expertise in application security, S[1]SDLC, CI/CD methodology and automation of these processes. The ideal candidate will have experience of working in organisations that are transitioning from a traditional DevOps model, to a DevSecOps model, providing expertise in the automation of processes that enable security to be built into the development lifecycle whilst embedding application security best practises into product design and development processes to create an integrated S-SDLC/DevSecOps process.
This role will require the post holder to identify security gaps in our current DevOps processes and cloud environments and propose solutions to remediate these. You will be technically responsible for implementing and integrating the required tooling, such as IaC, SAST, SCA, Container Scanning etc. into application development pipelines. This role is very hands-on and requires someone with extensive experience having integrated tooling into pipelines before and who has previously led a team to "shift left" and create a DevSecOps model. You will have good experience of scripting to automate processes, and have demonstrable experience in this area. The applicant should have an understanding of application security methods which assist with understanding and translating the true risk of vulnerabilities found within the organisation. You will have many years of experience having worked with teams to assess and remediate vulnerabilities found within applications and will act as the technical lead on the application security Project. Responsibilities: ●
Actively participate in defining and gathering requirements for the Application Security programme, support with creating designs where required. ● Working with the AppSec team, discover, develop and update our inventory of production applications and services so vulnerability remediation can be prioritised, and assist with classifying them accordingly. ● Work with the Cyber Security team, Platform team and Engineering teams to implement automated security tooling within the agreed CI/CD pipelines. e.g. SCA, SAST, IaC, Container Scanning etc. ● Work as a lead to shift the organisation from a DevOps model to a DevSecOps model. ● Support the Development and Platform teams with embedding new ways of working when shifting to a DevSecOps model. ● Automate security testing and vulnerability management procedures wherever possible, to reduce manual effort,ensuring assessment and remediation advice is readily and always available to the development and engineering teams. ● Work with our Platform Engineering team to ensure the process for deploying containers is secure and container vulnerabilities are remediated prior to deployment.
- Drive security improvements within the products and applications Condé Nast develops. ● Provide expertise in the areas of security and privacy throughout the development lifecycle. ● Assist in the creation of reports that include KRIs for the S-SDLC ● Working with the AppSec Lead, provide the overall design and implementation of a gated process for DevSecOps delivery, ensuring alignment with Cyber Security requirements. ● Work alongside relevant teams to help remediate vulnerabilities within pipelines and support the remediation of issues within pipelines as they arise. ● Support with code reviews/analysis - Condé Nast uses various languages; JavaScript, Python, Go, etc, so development language experience is essential. ● Identify any existing gaps within the deployment and architecture and recommend changes or enhancements. ● Support with coordinating technical security scanning, testing, application security testing and similar monitoring and validation techniques, where required. ● Define an approach and solution for ensuring applications which exist within our digital/customer environments are being assessed for vulnerabilities. ●
Working with the AppSec team, create standards and processes related to application security to support the organisation. Required Skills: To be successful, the candidate will need to have and demonstrate many of the following knowledge, skills and experiences, along with a proactive focused attitude; ● Have experience working on, delivering, supporting Application Security projects: ○ Identifying, defining and implementing requirements for Application Security tooling. Providing inputs to, and support for, evaluating RFI/RFPs and selecting vendors. ○ Scoping, development and publication of comprehensive application security standards, policies, procedures and guidelines. ○ Discovering, design and implementation of application security frameworks for ranking / tiering /application portfolios; including risk factors and classifications. ○ Identifying, developing and implementing appropriate S-SDLC models and frameworks which incorporate tooling. ○
Experience delivering and evaluating PoCs for application security tools. ○ Arranging pen-testing via 3rd parties, including establishing schedules for tiered apps across estates. ○ Understand impacts on business and developers day-to-day workloads for the remediation of vulnerabilities under an agreed standard. ○ Experience with SAST, SCA, IaC and Container scanning security tools including the development and reporting of KPI's & continual service improvement processes. ○ Implementing monitoring / alerting solutions across product estates, performing and closing GAP analysis and transitioning across to SOC / Operational teams. ● Familiarity with vulnerability management frameworks and concepts such as CVE, and CVSS ● Experience with DevSecOps concepts and tools, having the ability to advise on best practice and implement these. ● Expertise in AWS and understanding of GCP and Azure Cloud ● Good knowledge on container technologies (Kubernetes, Docker, AWS EKS) and securing the environments they run within, including embedding tools to secure the deployment of containers within the pipeline. ● Fluency with scripting and automation languages such as Go, Python, Ruby, Bash, etc. ● Experience of working with GitHub Actions, Jenkins and ECR ● Experience of configuration management tools such as Terraform and Ansible ● Experience of having implemented IaC, SCA, Static and Dynamic Code Analysis tools within pipelines. ● Knowledge of application security flaws and web application best practices (e.g. OWASP Top 10, CWE SANS Top 25) ● Minimum of 5 years experience having led a team in implementing tools and automating processes as part of a DevSecOps model. ● Experience of having supported an organisation in shifting from a DevOps model, to a DevSecOps model, with a focus on securing
