DevSecOps Application Security Engineer III

Our team members are at the heart of everything we do. At Cencora, we are united in our responsibility to create healthier futures, and every person here is essential to us being able to deliver on that purpose. If you want to make a difference at the center of health, come join our innovative company and help us improve the lives of people and animals everywhere. Apply today!
Job Details
Summary:
An experienced security professional with a strong focus on Application Security, API Security, and DevSecOps practices. Expert in identifying, assessing, and remediating application vulnerabilities with strict adherence to predefined SLAs, ensuring timely resolution of security issues. Proficient in tracking and managing aging vulnerabilities while working closely with developers to empower them with secure coding practices. Skilled in coordinating with DevOps, Operations, Application Development, and Security Architecture teams to foster collaboration and ensure that security is embedded throughout the development lifecycle.
Primary Duties and Responsibilities:

• Incorporate security measures into every stage of the DevOps pipeline to protect applications and APIs
• Implement and maintain controls within the Continuous Integration/Continuous Deployment (CI/CD) pipeline to meet necessary security standards
• Regular usage of automated tools for routine security checks
• Facilitate collaboration among development, operations, and security teams
• Develop policies that align with regulations, alongside conducting comprehensive assessments of application/API security
• Educate teams about secure use of applications/APIs, keeping up-to-date with cybersecurity trends, ensuring adherence to secure design principles across all Software Development Life Cycle (SDLC) phases, managing incident response protocols, and providing training on secure coding best practices
• Utilize automation tools to identify potential vulnerabilities before they escalate into threats
• Evaluate third-party services for potential weaknesses in their security posture
• Ensure that vulnerabilities are remediated before code moves to production and provide guidance on the remediation process for application/API security vulnerabilities
• Work closely in collaboration with Information Security Officers (ISOs), DevOps teams, Application Development teams, Vendor Partners, and Cyber Engineering teams
• Conduct proactive research to analyze security weaknesses and recommend appropriate strategies to strengthen controls
• Assists in security initiatives for areas like Cyber Operations, Incident Response, Threat Intelligence, and Vulnerability Management
• Guide, coach, and mentor Engineers I/II in executing their tasks, ensuring they follow best security practices
• Work on multiple projects as a key contributor, contributing to the strategic and tactical direction of cybersecurity initiatives
• Collaborate with IT teams to improve cloud and application security measures and integrate new and support existing security applications
• Communicate advanced information security concepts with clients, peers, management, and vendors effectively
• Familiarity with Static Application Security Testing (SAST), Software Composition Analysis (SCA), Container Security, Infrastructure as Code (IaC) Security, API Security, Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), and Runtime Application Self-Protection (RASP).

Required Skills and Expertise:

• Bachelor's or Master's degree in Computer Science, Cybersecurity, or a related field. A strong academic foundation in these disciplines supports advanced skills in security architecture, risk management, and secure development practices
• Application Security: In-depth knowledge and hands-on experience in securing applications throughout the software development lifecycle. Proficient in threat modeling, secure code review, and utilizing tools to identify security weaknesses
• API Security: Expertise in securing RESTful and SOAP APIs, ensuring secure authentication, authorization, and data validation mechanisms
• DevSecOps Integration: Implementing security controls within the CI/CD pipeline to ensure that security is continuously integrated, tested, and monitored across development, deployment, and operational processes
• Application Vulnerability Management: Extensive experience in vulnerability scanning, penetration testing, and remediating critical security issues such as SQL injection, cross-site scripting (XSS), and buffer overflows. Proven ability to remediate vulnerabilities against predefined SLAs, ensuring that all vulnerabilities are resolved within required timeframes
• Tracking Aging Vulnerabilities: Strong focus on monitoring and tracking aging vulnerabilities to ensure timely remediation and prevent accumulation of unresolved security issues, using metrics and reporting to manage risk
• Shift Left Security & Developer Empowerment: Strong advocate for embedding security at the earliest stages of development to reduce vulnerabilities and streamline remediation efforts. Actively empowers developers by promoting secure coding practices and providing them with the necessary tools and training to enhance security awareness and skills
• Cross-Team Coordination: Proven ability to collaborate and coordinate with DevOps, Operations, Application Development, and Security Architecture teams, ensuring seamless integration of security into every stage of the development and deployment process
• Platform Expertise: Proficient in using Checkmarx One and Veracode to conduct comprehensive static and dynamic analysis of application code, ensuring that security vulnerabilities are detected and remediated throughout the development lifecycle
• Familiarity with Static Application Security Testing (SAST), Software Composition Analysis (SCA), Container Security, Infrastructure as Code (IaC) Security, API Security, Dynamic Application Security Testing (DAST), Interactive Application Security Testing (IAST), and Runtime Application Self-Protection (RASP)

Certifications:

• OSCP (Offensive Security Certified Professional) - Demonstrates practical skills in penetration testing and ethical hacking.
• CEH (Certified Ethical Hacker) - Expertise in identifying vulnerabilities and securing systems against common threats.
• CISSP (Certified Information Systems Security Professional) - Broad knowledge of cybersecurity concepts, including risk management, asset security, and security operations.

What Cencora offers
We provide compensation, benefits, and resources that enable a highly inclusive culture and support our team members' ability to live with purpose every day. In addition to traditional offerings like medical, dental, and vision care, we also provide a comprehensive suite of benefits that focus on the physical, emotional, financial, and social aspects of wellness. This encompasses support for working families, which may include backup dependent care, adoption assistance, infertility coverage, family building support, behavioral health solutions, paid parental leave, and paid caregiver leave. To encourage your personal growth, we also offer a variety of training programs, professional development resources, and opportunities to participate in mentorship programs, employee resource groups, volunteer activities, and much more. For details, visit https://www.virtualfairhub.com/cencora
Salary Range*
$86,500 - 123,860
*This Salary Range reflects a National Average for this job. The actual range may vary based on your locale. Ranges in Colorado/California/Washington/New York/Hawaii/Vermont/Minnesota/Massachusetts/Illinois State-specific locations may be up to 10% lower than the minimum salary range, and 12% higher than the maximum salary range.
Equal Employment Opportunity
Cencora is committed to providing equal employment opportunity without regard to race, color, religion, sex, sexual orientation, gender identity, genetic information, national origin, age, disability, veteran status or membership in any other class protected by federal, state or local law.
The company's continued success depends on the full and effective utilization of qualified individuals. Therefore, harassment is prohibited and all matters related to recruiting, training, compensation, benefits, promotions and transfers comply with equal opportunity principles and are non-discriminatory.
Cencora is committed to providing reasonable accommodations to individuals with disabilities during the employment process which are consistent with legal requirements. If you wish to request an accommodation while seeking employment, please call 888.692.2272 or email [email protected]. We will make accommodation determinations on a request-by-request basis. Messages and emails regarding anything other than accommodations requests will not be returned
Affiliated Companies:
Affiliated Companies: AmerisourceBergen Services Corporation