Lead Application Security Engineer in New York, NY at Vaco

Date Posted: 12/4/2019

Job Snapshot

Job Description

You're looking for you next career move; our client is looking for technical expertise-make the connection through Vaco! At Vaco, we give you an advantage over your competition by advocating for you. We promote your strengths to the hiring manager so that you are NOT just another faceless resume. Right now, we are seeking a senior level Application Security Engineer for our client.

Our recruiters will prepare you for the interview and provide you with great insight about trends in the market - keeping you up to date on compensation expectations, company culture, and growth opportunities. If you're an experienced Software Engineer and want to partner with the best, apply today!


The Senior Application Security Engineer role is a leader in the IT security risk management program, within Enterprise Information Technology Security organization. The position reports to the Director of IT Security Risk Management team. This role supports / delivers the development and implementation of a transformation program that identifies and manage information security risks, assessments, and delivers solutions to reduce IT security related risks. This role is responsible for working directly across multiple teams, management levels, disciplines, technologist, and business groups to enable approach to risk-based information security program.

Responsible for implementing an application security solution that will provide valuable information to IT and product developers in validating the posture and remediation as needed.

Responsible for explaining and demonstrating vulnerabilities to application/system owners, and provide recommendations for mitigation.

Accurately evaluate and effectively communicate on IT Security related risks.

Deliver security solutions and recommendations that resonate with the vision, strategy, and direction of the information security risk program.

Defines the IT security frameworks for existing and newly developed systems.
Partners with IT Teams in the development of security configuration standards and partners directly with the Threat & Vulnerability Management team in delivering direction for security protection and guidance to IT.

Responsible for defining processes to manage and enforce application security.

Conducts active penetration tests; discover vulnerabilities in information systems.

Responsible for supporting the implementation and enforcement of secure application design principles.
Responsible for defining and designing security code analysis tools and framework, Performing code and design reviews of all internal and external software products. Work with application developers to ensure adoption of security principals and best practices.

Provides direction and support in security management and security architecture standards and documentations.

Represents the IT security team for enterprise projects during development phases like architecture/design review, providing IT security consulting and recommendations, to ensure the implementation of a secure application design.

Participate and ensures compliance to IT standards and audit recommendations (e.g. PCI DSS, HIPAA, SOX, etc.)

Drives the delivery of the risk program goals, objectives and solutions.
Support the improvement of the enterprise information security risk management framework, policy, processes, and tools.

Develop and implement the next-level down risk management processes (process-level, asset-level, etc.), including embedding risk assessments into existing capabilities (architecture reviews, secure design and development, etc.).
Enable risk-based strategic planning efforts for security teams across Ingersoll Rand, and ensure that risk mitigation strategies are identified, resourced and tracked.

Develop and deliver the IT Security risk reporting process and provide reporting to the organization.
Manage relationships with security, technology and business stakeholders to identify and communicate security risks and mitigation approaches.

Support and deliver the IT Security related reporting and metrics including Key Risk Indicators (KRI's).
Support the internal, external and cross-functional program resources to complete goals and initiatives.

B.S. degree or equivalent work experience in risk management, business management, information systems or other relevant field.

Expert knowledge of risk management approaches and processes required, including proven implementation experience.

Expert in delivering security risk assessment techniques including user and account audits, privileged user audits, data discovery, wireless scanners, threat modeling, vulnerability testing, etc.

5+ years of experience in web application development in .NET, Java EE, and SQL

3+ years of experience in web or mobile application security preferred

HTTP protocol knowledge required

Knowledge of authentication mechanisms like SAML, OAuth etc. along with web service security protocols for SOAP such as WS-Security

Expert knowledge of information security principles, web applications and a level of familiarity with malicious code and common techniques used by hackers

Experience with application security code review practices / static analysis and methods, such as OWASP Top Ten

Detailed knowledge and understanding of the Payment Card Industry (PCI) data security standards (PCI DSS) as well as experience in the implementation of controls to mitigate PCI issues

Experience with Application Security Firewalls, F5' ASM / Citrix's Teros etc.

Experience using vulnerability assessment tools/platforms such as Qualys, Nexpose, Burp Suite, Paros, Samurai WTF, and BackTrack along with centralized logging and penetration testing

Experience in creating, maintaining, and executing Incident Response Plans

Strong interpersonal and communications skills along with strong customer service skills

Strong programming background with: JavaScript, JSP, PHP, ASP.Net strongly preferred

Knowledge of Security Flaws and its Resolution as listed in sites like OWASP, SANS etc.
Knowledge and understanding of network and web related protocols (e.g., TCP/IP, UDP, IPSEC, DNS, LTM, GTM) preferred

Experience in technical security countermeasures, risk management, contingency planning, and data communications networking preferred

Experience in IT Audit, IT Security, Application Development, Network Engineering, Database Administration, Middleware, Operating systems (UNIX, Linux, Windows), and have demonstrated experience with cloud security, mobile security, and IoT technologies. Security technologies such as cyber security & threat management , vulnerability management scanners, mobile security, DLP, next generation firewalls, IDS/IPS, End Point Protection (AV & AM), FIM, security scanners, secure web applications, secure web filtering and others.
Preferred security certification such as SANS/ GIAC, CompTIA, Certified Information Systems Security

Professional (CISSP), or Certified Information Systems Manager (CISM), or Certified in Risk and Information Systems Control (CRISC), Certified in the Governance of Enterprise IT (CGEIT), or equivalent required.

Excellent written and verbal communication skills.
Exceptional planning skills a must.
Expert knowledge in common regulatory and industry security related requirements such as PCI DSS, NIST, HIPAA, ISO 27001, SSAE16, COBIT, and others.
Results-oriented, with demonstrated problem-solving and decision-making skills.
Effective stakeholder management skills; ability to influence and work with across all groups and levels and business groups to develop the most effective approach.
Exceptional interpersonal skills to effectively promote ideas collaborate across teams and influence stakeholders