E&Y is seeking a Senior Application Security Engineer with experience conducting application security assessments using automated tools (i.e., SAST, DAST, IAST). Qualified candidates would likely have ~ 2 years experience either developing secure code or conducting application security assessments. In this role, this engineer would support a variety of large assessment programs for our clients where the main techniques involve the use of automated tools coupled with manual triage and reporting. The candidate should have experience installing, integrating and onboarding applications with one or more commercial automated tools such as Fortify, AppScan, CheckMarx, Contrast, CAST, and WebInspect. In addition candidate should have demonstrated ability to effectively triage results, validate vulnerabilities using manual methods and provide developers with guidance on how to address.
What to expect
In a rapidly changing IT environment, clients from all industries look to us for trusted solutions for their increasingly complex risks and vulnerabilities. As a member of our Application Security team you'll be right at the heart of that goal, helping clients gain insight and context to their cyber threats and assessing, improving, and building security solutions in order to mitigate these threats. You'll get to use your technical and business skills in order to help us drive this mission and have an impact on cyber security at a global level.
You'll work alongside respected industry professionals, learning about and using the latest tools and techniques to identify and overcome some of the most relevant and pressing security issues in the world. It's a highly specialized area, where you'll learn highly sought after technical skills, all while developing your relationship management abilities - often by working directly on-site with our clients.
Our security professionals possess diverse industry knowledge, along with unique technical expertise and specialized skills. The team stays highly relevant by researching and discovering the newest security vulnerabilities, attending and speaking at top security conferences around the world, and sharing knowledge on a variety of topics with key industry groups. The team frequently provides thought leadership and information exchanges through traditional and less conventional communications channels such as speaking at conferences, publishing white papers and blogging.
Our professionals work together in planning, pursuing, delivering and managing engagements to assess, improve, build, and in some cases operate integrated security solutions for our clients.
Your key responsibilities
* Assist with the integration of automation tools within client's development environment.
* Work with client and other team members to define processes for identifying candidate applications, scheduling them, and performing logistical set up.
* Run automated tools on candidate applications and triage results using manual methods where access allows to eliminate false positives.
* Document findings and recommendations in clear, concise manner
* Verbally present findings and recommendations in conversations with developers and client management.
* Overtime develop ability to design solutions and programs.
* Clearly communicate internally and externally, in technical reports, project read-outs and presentations.
* Support pre-sales and scoping calls with clients.
To qualify for the role you must have
* Practiced experience in performing software security assessments including vulnerability assessments, pen tests, secure code reviews and associated technologies. Ideal candidate has experience performing these activities using a variety of techniques and tools both automated and manual.
* Candidate should have experience performing assessments with one or more of the following automated tools - Fortify, AppScan, CheckMarx, Contrast, CAST, and WebInspect.
* Familiarity with common vulnerability management practices.
* Solid understanding and ability to explain to others the characteristics of common application security vulnerabilities, i.e., OWASP Top Ten.
* Comfortable reading and understanding code written in languages such as Python, Ruby on Rails, Go, Java, .NET. Development experience in these languages that's a plus.
* Experience with the following is a plus:
* Automation tools like Vagrant, Docker, Ansible, or Chef.
* Cloud Technologies/Services. AWS, Pivotal Cloud Foundry or Microsoft Azure is a plus.
* Quick thinking and initiative: two of the most important qualities we look for in a candidate. You must be comfortable taking input from stakeholders and taking initiative without specific direction. You should be able to multi-task and work productively in high interrupt environment.
* Excellent communication skills (verbal, written and presentation) and the ability to interface with both executive management and technical personnel.
* This position may involve onsite presence at client site Mon-Thurs for 6-12 month durations.
* A driver's license valid in the U.S
* Willingness and ability to travel domestically and internationally to meet client needs.
Estimated travel required up to 50%.
What we look for
We're interested in intellectually curious people with a genuine passion for cyber security. With your specialization in application security assessments and penetration testing, we'll turn to you to speak up with innovative new ideas that could make a lasting difference not only to us - but also to the industry as a whole. If you have the confidence in both your presentation and technical abilities to grow into a leading expert here, this is the role for you.
What working at EY offers
We offer a competitive compensation package where you'll be rewarded based on your performance and recognized for the value you bring to our business. In addition, our Total Rewards package includes medical and dental coverage, both pension and 401(k) plans, a minimum of three weeks of vacation plus 10 observed holidays and three paid personal days, and a range of programs and benefits designed to support your physical, financial and social wellbeing.
Plus, we offer
* Support, coaching and feedback from some of the most engaging colleagues around
* Opportunities to develop new skills and progress your career
* The freedom and flexibility to handle your role in a way that's right for you
* A rewards package tailored to your unique needs
As a global leader in assurance, tax, transaction and advisory services, we're using the finance products, expertise and systems we've developed to build a better working world. That starts with a culture that believes in giving you the training, opportunities and creative freedom to make things better. Whenever you join, however long you stay, the exceptional EY experience lasts a lifetime. And with a commitment to hiring and developing the most passionate people, we'll make our ambition to be the best employer by 2020 a reality.
If you can confidently demonstrate that you meet the criteria above, please contact us as soon as possible.
Join us in building a better working world. Apply today.
EY provides equal employment opportunities to applicants and employees without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, protected veteran status, or disability status.
Ernst & Young (doing business as EY) is a multinational professional services company.