Lead Application Security Engineer

Reference
VAC-31134
Contract Type
Permanent
Sector
IT
Location
Chester
Salary
£Competitive + Benefits
Expiry Date
17/05/2022
You'll be responsible for supporting the Director of Cyber working closely with development and operational teams to design, implement & recommend application security controls.

Job Description

About GBG

GBG offers a range of solutions that help organisations quickly validate and verify the identity and location of their customers. Our market-leading technology, data and expertise help our customers improve digital access, deliver a seamless experience and establish trust, so that they can transact quickly, safely and securely with their customers online. We have over 1,000 team members across 15 countries and work with over 20,000 customers in over 70 countries. Some of the world's best-known businesses rely on GBG to provide digital services and keep the economy moving.

The Team

The InfoSec team are accountable for GBG’s Information Security, Security Architecture, Security Compliance, Security Awareness, Security Operations and Information Security Risk Management Activities. It is a highly motivated team of security professionals delivering cyber, cyber security operations and information security risk activities globally.

The Role

You'll be responsible for supporting the Director of Cyber working closely with development and operational teams to design, implement & recommend application security controls. This is a new role to GBG requiring a passion for cyber security and a hands-on development background to create and develop the application security capabilities as part of the SDLC. Ideally you will have a background in or understanding of software development.

What you will do

  • Assess and identify gaps in current application security controls and provide guidance to resolve and remediate based on risk to the business
  • Provides expert guidance on application security matters
  • Working with the DevOps teams, establish and design processes to improve the secure development of products and services during the SDLC, by implementing a software assurance model designed to address security defects early in the delivery pipeline
  • Be an advocate for secure coding practices across all engineering teams
  • Participates in security projects providing technical guidance and support during development and rollout of new product features by understanding their requirements and model/evaluate likely threat vectors
  • Provide security expertise and guidance to the Development/Delivery Teams
  • Promote a security-focused culture as part of the SDLC, educating DevOps teams in security best practices
  • Conduct/Lead threat modelling and security design activities alongside Dev/Engineering Teams
  • Work with 3rd parties to support vulnerability and penetration testing
  • Process reports from external penetration testing vendors and coordinate feedback with teams to ensure actions are followed to mitigate identified risks
  • Create and maintain documentation and presentations for security champions

Requirements

Skills/Technologies:

  • Software engineering background is a must with knowledge of Application Security Frameworks e.g. OWASP SAMM/DSOMM/ASVS etc
  • Hands-on knowledge of information security processes such as security design review, threat modelling, OWASP Top 10, risk analysis, and software testing techniques
  • Deep knowledge of common web application vulnerabilities (e.g. Injection Attacks, XSS, CSRF, etc.) and their mitigation strategies
  • Strong understanding of application security awareness, including the security of web applications
  • Experience with risk management activities - identifying, assessing and providing remediation options for application and technology risks
  • Knowledge of Agile methodologies is a must
  • Experience working in AWS/Azure/GCP would be beneficial
  • Thorough understanding of SAST, DAST (including fuzzing), endpoint and perimeter scanning etc.
  • Familiarity with industry security standards (ISO27001, NIST, CCM etc)
  • API gateway security, WAF and IDS, SSO, SAML etc
  • At least one professional security certification e.g. CISSP, CEH, GCIH, GCFA , CSSLP etc or working towardsExperience with AWS cloud technology, cloud security best practices
  • Good understanding of containerisation technology such as Docker and Kubernetes

Behaviours:

  • Excellent analytical skills with the ability to see the bigger picture
  • Excellent communication skills with the ability to influence multiple stakeholders
  • Ability to self-motivate and define priorities to meet deadlines
  • Good team-oriented interpersonal skills, with the ability to interface effectively with a broad range of people and roles
  • Ability to effectively present and communicate security threats and risks to any audience and impress upon them the mitigation techniques and strategies

Benefits

We have a vision to have the best and most engaged team members in the industry. People matter at GBG, they make us who we are. Every team member across all our locations makes a difference, everyone has something to contribute. Maybe you too could make a difference.

As part of our commitment to our team and flexible working approach, we have created a Work When and Where You Want Policy to give our team members choice and empowerment, and to support a balance in work and home life. Please ask your Talent Attraction Specialist for more information on this and our Family Friendly policy if you want to find out more!

Next steps

If you’re interested, please apply! We’re looking to hire the best and most engaged people into our business and we’ll make an offer once we’ve found that person.

As an equal opportunity employer, we are committed to providing fair opportunities for everyone regardless of age, gender, race, religion, sexual orientation, parental status or disability. Everybody is welcome and our inclusion and diversity programme, be/yourself, is designed to ensure that you can thrive. Please inform your GBG Talent Attraction Specialist if you require any reasonable adjustments to the interview process.