Senior Application Security Engineer

Job Description

Senior Application Security Engineer

Description

At Pearson, we’re committed to a world that’s always learning and to our talented team who makes it all possible. From bringing lectures vividly to life to turning textbooks into laptop lessons, we are always re-examining the way people learn best, whether it’s one child in our own backyard or an education community across the globe. We are bold thinkers and standout innovators who motivate each other to explore new frontiers in an environment that supports and inspires us to always be better. By pushing the boundaries of technology — and each other to surpass these boundaries — we create seeds of learning that become the catalyst for the world’s innovations, personal and global, large and small.

Position Overview

This position reports to the Director of Data Security and Privacy, who leads the School Assessments Information Security Office (AISO). You’ll be working on application security across a range of technologies and environments, from mobile applications (Android and iOS) to Cloud services. You will be working directly with product developers, site reliability engineers (SRE), DevOps Teams, QA teams, and other technical subject matter experts. You will collaborate with your colleagues in the AISO to help identify application security vulnerabilities through the use of vulnerability and penetration testing tools, as well as through the analysis of application code and architectural design.

In this position you will:

• Develop, maintain, and socialize secure coding guidelines and best practices.
• Work with developers to assist in designing and architecting secure systems.
• Develop general techniques and frameworks that will enable other engineering teams to find flaws before they are introduced into production
• Be a security subject matter expert and respond to any internal security engineering questions/request
• Develop and Implement secure cloud architecture in AWS (Amazon Web Services), GCP and Azure.
• Correctly balance security risk and product advancement
• Perform penetration testing on our internal- and external-facing applications
• Perform threat modeling for existing applications
• Perform reactive incident response when a security event occurs
• Perform proactive research to detect new attack vectors
• Work with technical SMEs across the Assessments Technology Engineering (ATE) organization to architect and create secure-coding frameworks that prevent current and future attack scenarios
• Collaborate with infrastructure and application teams to advance their ability to take ownership of and implement secure coding techniques and follow the OWASP best practices.
• Work with Security Operations Center (SOC) colleagues to research, architect, and execute solutions that will advance internal security monitoring & controls
• Periodically conduct developer training on secure coding concepts

Qualifications

• Bachelor’s or Master’s degree in Computer Science, Information Security, or related major.
• Strong Development background using multiple development tools, techniques, and platform technologies
• Knowledge of cybersecurity topics including: secure web app design, cryptography and key material handling, authentication mechanisms such as OAUTH, SAML or OpenID, sensitive data protection, SDLC integration (fuzzing tests, static and dynamic code analysis)
• Familiar with DevOps container/orchestration tools (Kubernetes, Docker, Puppet, etc)
• Experienced in the use of Source Code scanners (Veracode, Whitehat, Checkmarx, SonarQube, Blackduck, etc) and the ability to manually validate findings/eliminate false positives
• Familiar with the use of various manual and dynamic application vulnerability testing suites (Netsparker, AppScan, WebInspect, Acunetix, Burp etc)
• Ability to detect, define, exploit, and remediate OWASP top 10 vulnerabilities without the use of a vulnerability scanner (a browser, a proxy, an editor, and YOU)
• Preference will be given to candidates holding AWS Solutions Architect - Associate certification. Other cloud-based certifications will be considered.
• Intermediate skill level and experience working with industry standard cybersecurity frameworks, such as NIST CSF, ISO 27001, CIS Benchmarks, HITRUST, etc.
• Preference will be given to candidates who hold professional certifications in one or more of: CISSP, CEH, GCFE, CFCE, or CSSLP

Qualifications

Primary Qualifications:

• Bachelor’s degree in computer science, Business Administration or equivalent educational or professional experience and/or qualifications.
• Experience leading a team in the area of vulnerability management
• Experience with industry leading vulnerability scanning tools (Nessus, Qualys, or similar)
• 5 years of information security experience required
• 5 years of experience with information technology audits and assessments preferred
• Familiarity with privacy laws, data protection/security regulations, and frameworks, such as BITS, SOC 2, COBIT etc.
• Experience with information security concepts as they relate to cloud security and compliance
• Familiarity with Amazon Web Services (AWS) control and governance concepts preferred
• Negotiation skills needed to obtain commitments to remediate risks and vulnerabilities from leadership of other teams
• Possess a solid understanding of underlying infrastructure architecture including WANs, LANs, Internet, intranets, cloud computing, and communication protocols such as TCP, UDP, and IPSEC
• Excellent communication, listening and facilitation skills

Pearson is an Equal Opportunity and Affirmative Action Employer and a member of E-Verify. All qualified applicants, including minorities, women, protected veterans, and individuals with disabilities are encouraged to apply.

Primary Location: US-IA-Iowa City

Other Locations US-CO-Centennial, US-TX-San Antonio, US-TX-Austin, US-MN-Bloomington, US-CO-Boulder

Work Locations: US-IA-Iowa City-2510 North Dodge 2510 North Dodge Street Iowa City 52245

Job: Technology

Organization: Assessments School

Employee Status: Regular Employee

Job Type: Standard

Shift: Day Job

Job Posting: Sep 24, 2019

Job Unposting: Ongoing

Schedule: Full-time Regular

Req ID: 1912754

Pearson is an Equal Opportunity and Affirmative Action Employer and a member of E-Verify. All qualified applicants, including minorities, women, protected veterans, and individuals with disabilities are encouraged to apply.