• Work with development teams in architecture design and review session
• Provide specific security expertise to development teams. Areas include secure database access, security testing, authentication methods, implementing encryption, entitlement design, logging, input validation, secure storage design.
• Identify areas of risk on projects where security requirements cannot be fully addressed in the required time frame of the project.
• Help identify areas of infrastructure the firm might want to invest in to further improve the discipline of application security.
• Create documentation and guidance on the secure implementation of new technologies in the firm. This involves liaising with other technology subject matter experts to build consensus.
• Conduct application security training for development groups.
• Architecture/Implementation: The ideal candidate will have experience in architecting and implementing an enterprise application to fully appreciate level of effort and appropriate roles in IT.
• Software Development: This role is not an active programming position. The successful candidate will have had several years of programming experience in a commercial environment, preferably including large web application development projects. This includes knowledge of development lifecycles (SDLC).
• Languages: Java and Perl experience is a requirement. The ideal candidate will have experience with several other practical languages as well, such as C/C++, C#, Python.
• Knowledge of the common application layer vulnerabilities – ability to explain these risks to developers.
• Ability to evaluate technical and functional specifications early within the software development process, identify possible threats or areas of weakness. Experience in taking part and contributing to design sessions.
• Ability to review code of enterprise applications (Java required, prefer candidates with C/C++ and .NET) and identify possible security vulnerabilities
• The candidate should have expertise with security-related topics such as authentication, entitlements, identity management, data protection, data leakage prevention, validation checking, encryption, hashing, principle of least privilege, software attack methodologies, secure data transfer, secure data storage etc. Genuine expertise is required here, as the candidate will be extensively tested on security principles.
• Knowledge of Single Sign On technologies such as SAML, Kerberos, and Siteminder.
• Some experience in testing tools, at least one of Fortify, OunceLabs, AppScan, WebInspect, Burp. The successful candidate will be able to explain the ‘hows and whys’ of the tools, as well as being experienced in using them.