Description:
As an Application Security Engineer at Lilly on the Security Architecture and Engineering team, you will play a pivotal role in ensuring the security of our software development lifecycle (SDLC). Your primary responsibility will be to integrate application security testing tools into the development and deployment pipeline, ensuring that every step of the SDLC follows security best practices. You will partner with engineering teams to enable secure coding practices, conduct security testing, and coordinate vulnerability remediation efforts. Additionally, you will collaborate with various stakeholders across the organization to develop and implement application security strategies.
How You'll Succeed:
- Technical expertise: As an Application Security Engineer, you will leverage your deep technical knowledge of application security concepts, tools, and best practices to implement tailored security solutions and effectively mitigate threats and risks.
- Problem-solving skills: Adept problem-solving abilities are crucial in quickly identifying and addressing security issues, ensuring the development and delivery of robust and secure applications in a timely manner.
- Collaboration and communication skills: You will actively collaborate with both local and remote team members, playing a pivotal role in defining, designing, and executing application security strategies. Excellent communication skills are essential for this role, as you will need to engage with both technical and non-technical audiences, including software developers, DevOps teams, and other stakeholders.
- Agility: The ability to quickly adapt to the changing threat landscape and move at the pace of the adversary is critical to success in this role.
- Knowledge of application security trends: This role requires staying abreast of the latest developments in application security, including emerging threats, tools, and best practices, and integrating these insights into our practices.
- Balancing security and operational needs: You will balance stringent security guidelines with operational requirements, maintaining the desired corporate security posture while demonstrating empathy and understanding towards the engineering teams' challenges and needs.
Key Responsibilities:
- Lead and deliver the integration of security testing tools in the Software Development Lifecycle (SDLC), including Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Dynamic Application Security Testing (DAST) tools.
- Partner with DevOps teams to build security testing and verification into the application development and deployment processes.
- Secure containers in on-prem and cloud container hosting services, collaborating with Cloud Service delivery teams to ensure secure configuration and deployment.
- Build relationships with internal and external customers, partnering with them to monitor and coordinate the remediation of vulnerabilities.
- Develop and maintain technical specifications, design patterns, standards, and security guidance, with a particular emphasis on application security.
- Perform threat analysis and modeling to enable business and technical partners to deliver secure solutions integrated with the SecOps lifecycle.
- Coordinate with other cybersecurity teams to drive key vulnerability remediation initiatives.
- Triage newly identified critical vulnerabilities and zero-day vulnerabilities, assess the threat and impact, and manage escalation processes for remediation based on risk.
- Continuously improve processes and procedures, including reporting exceptions/risk acceptance for further review and escalation to the appropriate risk owners.
- Interact with stakeholders to develop and fine-tune the process of how application security metrics are calculated and communicated.
Your Basic Qualifications:
- Bachelor's degree in Cyber Security, Computer Science, Information Technology, or related field Or
- High School Diploma/GED with 4+ years of experience in Cyber Security, Information Technology, or related field. And
- 2-6 years of demonstrated experience in application security, with a strong focus on integrating security into the SDLC.
- Proficiency in DevSecOps practices and conducting end-to-end security testing of applications.
- Experience with evaluating, mitigating and prioritizing application security vulnerabilities, using manual testing methods and/or industry standard commercial or open-source tools.
- Experience with automating processes for security testing, escalating, and reporting through scripting and working with APIs.
- Knowledge of and ability to apply frameworks such as OWASP Top 10 and MITRE ATT&CK Framework.