Senior Application Security Engineer

Job Description

Job Description

Subject to applicable law, all prospective hires will be required to demonstrate that they have been fully vaccinated for COVID-19 or intend to be vaccinated for COVID-19 by November 1, 2021, or qualify for a medical or religious accommodation to this vaccination requirement. Hired candidates who are not vaccinated by November 1, 2021, and who have not been approved for a legally-required medical or religious accommodation will be subject to disciplinary action up to and including termination of employment, in accordance with applicable law.

Our IT team operates as a business partner proposing ideas and innovative solutions that enable new organizational capabilities. We collaborate internationally to deliver the services and solutions that help everyone to be more productive and enable innovation.

We are seeking motivated talent interested in solving problems to improve tomorrow by joining a new team focused on Application Security and Software Assurance.

You will:

• Contribute to the success of firmwide application security program by working with application development stakeholders and cybersecurity engineers to implement software security controls effectively.
• Develop secure code guidelines and provide remediation strategies.
• Perform detail analysis of results found by application security tools in pre-prod and prod environments, help eliminate false positives, prioritize vulnerabilities, research, and propose remediation steps.
• Create custom rules for scan engines such as Appscan Source, Fortify or Checkmarx.
• Define and capture metrics to support security in the software development lifecycle.
• Act as subject matter expert for application security and manage vulnerability remediation.
• Provide secure application development training to developers and provide guidance on the development of web-based training for ongoing awareness.
• Work with developers and security engineers to continuously improve AppDev security services.
• Assist with security and compliance projects on an ad-hoc basis.
• Advocate for security requirements during all phases of the SDLC.

You will work and learn more about:

• Integration of leading-edge cybersecurity initiatives with application development.
• Working globally across our market and hub network.
• How to define meaningful metrics that lead to a reduction in security flaws.
• Understanding of our business in healthcare sector.

Education Minimum Requirement:

A Bachelor's Degree is required. Concentration in one of the following fields preferred.

• Computer Science
• Cybersecurity
• Management/Computer Information Systems
• Information Assurance

Required Experience and Skills:

• 3+ years of hands-on software development experience with Java/.NET.
• Expert level understanding of OWASP Top 10, SANS Top 25, SAFECode and other software security taxonomy, guidelines, and best practices.
• Experience documenting and providing fixes to identified vulnerabilities at the code level (developer friendly).
• Understanding of secure software development lifecycle process and accompanying technologies.
• Knowledge of tools and processes used to expose common vulnerabilities and implement countermeasures is expected.
• Excellent communication skills (written and verbal) and the ability to communicate with all levels of staff and management.
• Ability to work both independently and perform as a leader in team environment.

Preferred Experience and Skills:

• 5+ years of experience in software security and software security vulnerabilities.
• Experience with penetration testing tools and technologies, application layer assessment tools, such as local proxies and fuzzers.
• Experience with threat modeling and security design review methodologies.
• Ability to perform targeted vulnerability research.
• Proficiency in cloud and mobile security concepts.
• Ongoing operations of software composition analysis and pen testing capabilities.
• Experience with tools such as AppScan Source, Fortify, Veracode, Sonatype or Blackduck.
• Experience with access management, cyber incidents, security products, and industry standards (e.g., NIST, ISO).
• Relevant professional certification (e.g., CISSP, CCSLP).

Our Support Functions deliver services and make recommendations about ways to enhance our workplace and the culture of our organization. Our Support Functions include HR, Finance, Information Technology, Legal, Procurement, Administration, Facilities and Security.

Who we are ...

We are known as Merck & Co., Inc., Kenilworth, New Jersey, USA in the United States and Canada and MSD everywhere else. For more than a century, we have been inventing for life, bringing forward medicines and vaccines for many of the world's most challenging diseases. Today, our company continues to be at the forefront of research to deliver innovative health solutions and advance the prevention and treatment of diseases that threaten people and animals around the world.

What we look for ...

Imagine getting up in the morning for a job as important as helping to save and improve lives around the world. Here, you have that opportunity. You can put your empathy, creativity, digital mastery, or scientific genius to work in collaboration with a diverse group of colleagues who pursue and bring hope to countless people who are battling some of the most challenging diseases of our time. Our team is constantly evolving, so if you are among the intellectually curious, join us—and start making your impact today.

NOTICE FOR INTERNAL APPLICANTS

In accordance with Managers' Policy - Job Posting and Employee Placement, all employees subject to this policy are required to have a minimum of twelve (12) months of service in current position prior to applying for open positions.

If you have been offered a separation benefits package, but have not yet reached your separation date and are offered a position within the salary and geographical parameters as set forth in the Summary Plan Description (SPD) of your separation package, then you are no longer eligible for your separation benefits package. To discuss in more detail, please contact your HRBP or Talent Acquisition Advisor.

Current Employees apply HERE

Current Contingent Workers apply HERE

US and Puerto Rico Residents Only:

Our company is committed to inclusion, ensuring that candidates can engage in a hiring process that exhibits their true capabilities. Please click here if you need an accommodation during the application or hiring process.

For more information about personal rights under Equal Employment Opportunity, visit:

EEOC Poster

EEOC GINA Supplement​

OFCCP EEO Supplement

Pay Transparency Nondiscrimination

We are proud to be a company that embraces the value of bringing diverse, talented, and committed people together. The fastest way to breakthrough innovation is when diverse ideas come together in an inclusive environment. We encourage our colleagues to respectfully challenge one another’s thinking and approach problems collectively. We are an equal opportunity employer, committed to fostering an inclusive and diverse workplace.

Search Firm Representatives Please Read Carefully
Merck & Co., Inc., Kenilworth, NJ, USA, also known as Merck Sharp & Dohme Corp., Kenilworth, NJ, USA, does not accept unsolicited assistance from search firms for employment opportunities. All CVs / resumes submitted by search firms to any employee at our company without a valid written search agreement in place for this position will be deemed the sole property of our company. No fee will be paid in the event a candidate is hired by our company as a result of an agency referral where no pre-existing agreement is in place. Where agency agreements are in place, introductions are position specific. Please, no phone calls or emails.

Employee Status:

Relocation:

VISA Sponsorship:

Travel Requirements:

Flexible Work Arrangements:

Shift:

Valid Driving License:

Hazardous Material(s):

Number of Openings:

Requisition ID:R137287