Senior Application Security Consultant – SSDLC and Training
San Jose, California
AppSec Consulting has an immediate opening for a Senior Application Security Consultant to join our growing consulting company. This regular, full-time position is a great opportunity for someone with strong web and/or mobile application development and security skills. This is a highly technical hands-on role that will utilize your development skills but involves little coding.
This is primarily a defense-focused position in which you will help customers improve their application security posture in various ways, such as via application security training and implementing improvements to the Software Development Life Cycle (SDLC). We also have a variety of interesting application security assessment projects to work on, including penetration testing code reviews of web applications, web services, mobile applications, etc.
Primary Job Duties
- Working with customers to prepare custom secure application development training course material based on the customer’s specific security needs and development platforms. This will involve interacting closely with the customer’s subject matter experts to identify the most common security issues that affect their applications and guidance on how to prevent and/or mitigate each vulnerability.
- Delivering classroom training on Secure Application Development and Application Security Testing (and assisting with enhancements to our existing training materials).
- Assisting customers with building security into their Software Development Life Cycle. This will typically involve assessing the current state of the customer’s SDLC and then identifying, recommending, and sometimes helping to implement security improvements to their SDLC. These improvements could potentially include process changes, vulnerability rating and tracking systems, automated security code review tools, etc.
- Providing on-the-job training and mentoring to other members of the team.
Occasional Job Duties
- Conducting application security assessments and penetration tests (web, mobile, web service, etc.). These assessments involve manual testing and analysis as well as the use of automated application vulnerability scanning/testing tools such as Burp Suite Professional and/or code review tools such as HP Fortify and Checkmarx. We expect you to have experience doing similar assessments, but we will train you on our proprietary assessment methodology.
Our company is headquartered in San Jose, California. Some of the work can be done remotely but a portion of the work will require on-site work at customer locations, primarily in the Bay Area.
- Several years of experience developing web and/or mobile applications, preferably hard-core financial, e-commerce, or business applications that face the Internet.
- Knowledge of the HTTP protocol and how it works.
- Experience with developing and delivering training materials, either in-person or web-based.
- Experience with building an application security program or implementing a Secure Software Development Life Cycle for one or more companies that develop sensitive applications.
- Experience performing application security testing using manual techniques plus runtime vulnerability testing tools and/or code review tools. (nice to have, but not necessary)
- Experience with network/infrastructure-level penetration testing (nice to have, but not necessary)
- Honesty and integrity.
- Solid written and verbal communication skills.
- Willingness to do hands-on, highly technical work.
- Strong customer focus. The goal should be to make customers happy enough that they ask for you to be called back to do more work for them.
- Desire to learn new things and be a participant in the local information security community.
- Must undergo criminal background check and drug testing.
- Flexibility to work odd hours at times. For the most part this is a Monday-Friday 8:00 to 5:00 job, but sometimes customers require us to do certain work during weekends or off-hours.
- Competitive salary including performance incentives
- Reasonable work hours compared with most information consulting firms. We expect employees to work hard and produce results, but we also understand that our employees have a life outside of work and are not a 60 hour per week body shop. A typical work week is 40 hours. Weekend work is rare and is rewarded with extra bonuses or time off during the week.
- Company sponsored medical and dental insurance
- Company sponsored 401K with company match
- Company sponsored training programs and career growth opportunities. For example, most of the team goes to DEF CON every year.
- You’ll be part of a closely-knit team of dedicated employees.
If you think you’re the right person for this challenging and fun career opportunity, please send your resume to firstname.lastname@example.org.