Application Security Engineer - (Remote, US)
DISQO is changing the way that the world’s largest brands, agencies and consumer intelligence companies get to know their consumers. We’ve built the first identity-based platform that combines consumer attitudes and behaviors together to power the most accurate and predictive insights solutions for our customers, and we do all of that with the willing participation of our consumers and without using outdated technologies like third-party cookies. We help our customers get a cross-platform view into consumer sentiment, measure advertising effectiveness, analyze consumer purchase journeys, and ultimately grow their brands.
Our mission is to build the most trusted insights platform that fuels brand growth. With over one million active members sharing their attitudes and behaviors, DISQO is looking to expand, improve and create world-class applications for people to openly share their data for research.
Check out the DISQO Developer Blog for the latest from our DISQOTECH team.
DISQO is searching for an Application Security Engineer within our DISQO Information Security organization to help build a world-class security program that enables a world where people trust in sharing information to improve the human experience. We are seeking an application security engineer who is passionate about protecting critical applications and APIs.
You will collaborate with engineering leaders, developers, quality engineers, and security teams to secure DISQO’s applications and services. Responsibilities include assessing the risk landscape for products, and helping drive risk mitigation. You will work with partner teams on security tools, penetration testing, and security testing methodologies to keep DISQO services secured.
You will experience a rapidly evolving technology and threat landscape and contribute to the education of teams on compliance activities throughout the development lifecycle. You should expect to be exposed to a broad range of systems, including web applications, big data, distributed processing, and virtualized environments.
Key Qualifications
- Deep understanding of web application and API security threats, vulnerabilities, exploits and prevention (SQL Injection, XSS, CSRF, platform hardening, etc)
- Ability to triage, reproduce, and recommend remediations for vulnerabilities
- Proficient with Python
- Ability to perform code reviews on Java and Javascript, Go, PHP, C++
- Experience in penetration testing and tools such as Burp or Zap
- Passion for understanding and researching vulnerabilities and exploitation techniques
- Experienced in Threat modeling (STRIDE, MITRE)
- Knowledge of development and integration tools and technologies (e.g. CI/CD)
- Knowledge static code analysis and dynamic application scanning tools (e.g. SonarQube, Qualys, JFrog)
- Knowledge of test automation frameworks
- Knowledge of networking concepts (firewalls, load balancers, etc)
- Experience securing applications in public cloud preferably AWS
- Excellent communication, interpersonal and collaboration skills
- Ability to craft and establish secure coding patterns/standards across multiple code repositories
- Ability to work in a self directed, fast paced environment
What you will do:
- Conduct application security reviews for our services and applications
- Perform penetration testing for critical services and applications
- Perform security code reviews for critical changes during the development phase
- Deliver security training and outreach to internal development teams
- Develop security best practices documentationDevelop internal security applications
- Develop automations to streamline common tasks, tests, workflows, etc.
- Perform threat modeling
- Training and mentoring DevOps and Developer teams on application security best practices
- Actively promote security culture and education within the organization
What you bring to the table:
- Minimum of 4 years of experience with any of the following: Threat modeling or Secure coding or Pentesting
- Experience with AWS Architecture (Lambda, SNS/SQS Messaging, API gateway, S3, ECS)
- Experience working with Continuous Integration and Deployment tools - e.g., Maven, Jenkins 2, Ansible, GITLab, Kubernetes, Rancher, Docker, TerraformWorking knowledge of OWASP Top 10Experience implementing security solutions at the organization level
- Strong technical, problem-solving, analytical, communication and interpersonal skills
- Excellent written and verbal communication skills
- Proven ability to work with all members of an extended and diverse project team
- Must be detail-oriented, self-organized, committed to quality and be capable of tracking multiple issues simultaneously
- Prior experience/background in web application development a plus
- Experience with GDPR a plus
Education & Experience
- Relevant BA/BS degree and/or certifications (CEH, GWAPT, CISSP, CISA, CCSP, CSSLP) or equivalent experience.
#li-remote
#LI-SG1
Perks & Benefits:
·100% covered Medical/Dental/Vision for employee, 80% for dependents
·Equity
·Generous PTO policy
·Flexible workplace policy
·Team Offsites
·Life Insurance
·FSA
·Paid Maternity/Paternity leave
·Disability Insurance
·Travel Assistance Program
·24/7 Counseling Services offered to Employees
·Access to personal and professional growth tools - Calm App & LinkedIn Learning
DISQO is an equal opportunity employer. Discovery, innovation, and growth are possible when we open ourselves to new possibilities, perspectives, and approaches. That’s why, at DISQO, we welcome, support, and empower individuals from diverse backgrounds. Exceptional teams are rooted in extraordinary people, each with a unique story and a compelling set of skills. DISQO does not discriminate against employees based on race, color, religion, sex, national origin, gender identity or expression, age, disability, pregnancy (including childbirth, breastfeeding, or related medical condition), genetic information, protected military or veteran status, sexual orientation, or any other characteristic protected by applicable federal, state or local laws.
*Recruiting firms that submit resumes to DISQO without first entering into a written contract will not be entitled to any compensation on candidates referred by that firm.