Application Security Engineer - London - Fintech
Investigo's Fintech client are seeking an innovative and accomplished Application Security Engineer to join the Information Security team. You will take a lead role in upholding the security of their products, from early stages in their design to completion.
You will influence the technical architecture of new products, ensuring that security is a keystone in their designs. You would be assessing the security of existing products through pentesting and threat modelling, and contributing towards internal tooling and integration to ensure that security is baked into the software development lifecycle. Developers will come to you as a trusted source of guidance for the secure development and maintenance of their products. Your insight will be consulted for strategic technical decisions, to guarantee that security is not an afterthought in our technical roadmap.
You'll be working closely with security operations, infrastructure, software engineering, and business units to ensure a 24/7 operations and security of our consumer-facing services. Contributing to an out-of-office-hours on-call rota spread across the team may be required to make sure issues are handled swiftly.
- Perform assessments of products, such as pentests of services that are being tested but are not yet in production.
- Provide technical expertise and guidance for developers around the secure development of their products.
- Perform threat models and other architectural risk assessments.
- Assist with the building up of a Secure Development Lifecycle, integrating security checks into the early stages of continuous delivery pipeline, and more generally "shifting left".
- Help to maintain tooling and integration of InfoSec services that help us achieve the aforementioned goals; this includes SAST tools, container vulnerability scanners, and more.
- Contribute towards the broader company technical strategy, to push it in a more secure direction from a development perspective.
- Work with other application security engineers on centralised technical solutions for mandating security baselines, such as centralised security header additions on the edge and WAF tuning.
- Provide information for various reports, such as pentest remediations and application vulnerability reports.
- Keep up to date with evolving InfoSec trends, emerging risks, and growing industry-wide technological shifts.
- Promote the importance of Information Security throughout the organisation.
- Sympathise with the goals trying to be achieved by other teams; help to push solutions out in a secure way rather than just blocking solutions outright. We're here to work with others getting their products out in a manner that's secure for our customers, not to just reject solutions without context.
- Knowledge of secure coding, how to avoid writing vulnerable code. You should be apt at spotting security issues during peer review of PRs.
- Able to perform security assessments. That includes webapp assessment using tools such as BurpSuite or OWASP ZAP, and basic network assessments with tools such as nmap.
- Basic software engineering knowledge, just enough to work on InfoSec tooling from time to time and to understand the challenges software engineers face.
- A solid understanding of common operating systems, especially Linux.
- An equally solid understanding of TCP/IP networks and common network protocols for data formats, the sort often exposed by applications and thus needing enough knowledge to meaningfully assess.
- Knowledge of common security practices, technologies, and conventions.
- Past experience in a Security Engineer role or similar.
- A desire to learn and improve. Our engineering teams can push their own technological initiatives with emerging technology stacks, and we must keep up to date with them in order to effectively secure them.
Nice to have:
- Experience of the risks faced by financial services and credit card businesses
- Experience with SAST products and container vulnerability scanning tools.
- Experience with Linux containers, Kubernetes, and cloud computing providers such as AWS.
- Basic programming skills in Go, Python, or another language common in InfoSec tooling. However, anyone who has basic software engineering skills and is willing to pick up languages as they go is fine!
- Relevant certifications in security engineering or the general information security space, e.g. one or any of OSCP, OSWE, GPEN, GWAPT, GMOB, CRT, PenTest+