Lumin Digital Application Security Engineer – Remote

by | Sep 12, 2021 | Uncategorized

As a provider of digital banking services to financial institutions, we operate in a highly-regulated industry that requires us to establish and operate mature information security programs.  At Lumin Digital, the Application Security Engineer is responsible for:

  • Collaborating with partners through the Product and Software Development Life Cycles to ensure security is built into our offerings from conception through design, implementation, testing, and ongoing maintenance
  • Providing knowledge and guidance to Product and Development teams on industry best practices related to secure architecture and coding, quality assurance, and protecting CI/CD pipelines
  • Implementing and maintaining automated application vulnerability scanning tools, including static and dynamic application security tools (SAST and DAST)
  • Recommending, scoping, and coordinating manual application penetration testing assessments through third-party engagements
  • Following industry-standard practices to prepare for, identify, contain, eradicate, and recover from application security incidents
  • Supporting risk management, compliance, and audit functions to measure and continuously improve the company’s application security posture

Essential Functions

  • Use and optimize monitoring, reporting, and alerting capabilities to identify, prioritize, and address weaknesses by using research, technical validation, data manipulation, and reporting writing technical skills.
  • Maintain knowledge of evolving threat tactics, techniques, and procedures as well as current company and open-source vulnerability disclosures relevant to Lumin Digital.
  • Maintain authenticated automated vulnerability scanning systems to ensure they operate regularly and scan effectively.
  • Keep accurate and complete records of application security posture and vulnerability detections across a growing and dynamic fleet of cloud servers and remote worker endpoints.
  • Serve as a first point of contact to triage, confirm, and prioritize reported application security issues, including from internal sources, client reports, and external reports from security researchers, including from bug bounty platforms.
  • Collaborate with clients, auditors, vendors, and the internal security team to validate the security posture of both client-facing and internal applications, which include web interfaces, mobile applications for Android and iOS, microservices, and underlying caching and persistent data stores.
  • Upon request, provide architectural and code reviews of Development team deliverables and provide technical recommendations to improve application security posture.
  • Enhance and maintain application threat models to inform and prioritize the risk management activities of the Product, Development and Security teams.
  • Establish methods to measure aggregate vulnerabilities and risks and regularly review and report to the CISO on the operating effectiveness of our related programs
  • Support the vulnerability management program, by using assessment tools (e.g. Veracode, Qualys, Rapid7, Whitehat Security, Burp, ZAP) and by coordinating with internal system owners to complete ongoing vulnerability monitoring and remediation activities.
  • Collect evidence of security program activities to satisfy client due diligence requests as well as support internal and external audit activities.

Experience:  

  • Five (5) years of experience in a relevant technology domain, including security engineering, software engineering, application vulnerability analysis, or information assurance required.
  • Three (3) years of demonstrated experience in identifying and technically qualifying application security vulnerabilities in a full-time capacity in for large-scale web applications, financial services applications, or mobile applications as a vulnerability analyst, DevSecOps team member, or similar role required.
  • Experience with AWS, Git, and application vulnerability management platforms required.

Education:  

  • Bachelor’s Degree in Computer Science, Management Information Systems, Information Assurance, Information Security, Cybersecurity, or related field; or equivalent self-study in cybersecurity with demonstrated command of key concepts and technologies and proficiencies in software engineering, secure application development, penetration testing, or other technical security risk management domains required.

Knowledge, Skills, and Abilities:

  • Ability to read and comprehend application source code, such as Typescript, Javascript, C#, Java, and Swift from a source control repository, such as Git
  • Ability to identify common application security vulnerabilities in source code, such as command injection, TOCTOU, and inappropriate use of cryptographic functionality
  • Ability to read and comprehend technical details contained in vulnerability assessments penetration testing reports and accurately and independently qualify and reproduce reported issues, either though manual, interactive testing or through written “proof of concept” scripting
  • Working knowledge of classes of security vulnerabilities, including those covered by the OWASP Top 10 and the Common Weakness Enumeration
  • Working knowledge of vulnerability prioritization methods, including through the Common Vulnerability Scoring System
  • Specialized knowledge of authentication and authorization frameworks, such as SAML, OIDC, OAuth 2.0, SCIM, JWT, WebAuthn, and OPA
  • Specialized knowledge of applied cryptography for software applications, including the appropriate use cases and relative strength of symmetric and asymmetric encryption, general hashing algorithms, and password hashing algorithms
  • Familiarity with factors of authentication, including their use and lifecycle management as prescribed by the NIST Digital Identity Guidelines and the FFIEC guidance relevant to digital banking solutions
  • Calm and serious attitude, technical aptitude, appropriate sense of urgency, and communication skills to effectively coordinate with internal team members to raise awareness of and track the remediation progress of vulnerabilities
  • Must be able to pass required background checks to be accepted as an employee with access to sensitive information
  • Must have strong client orientation and demonstrate a professional demeanor that earns the trust and respect of individuals inside and outside Lumin Digital
  • Ability to prioritize tasks, exercise sound judgment and confidentiality with sensitive information
  • Excellent speaking and written communication and interpersonal skills
  • Ability to educate and train engineers in various departments on sound application security practices, tools, and methods. 
  • Ability to work remotely while maintaining a high level of productivity and effectiveness with moderate supervision
  • Curiosity and a strong drive to fully understand and keep apprised of threat and vulnerability trends

Benefits

At PSCU, everything we do recognizes the fact that our employees are our most important asset. That’s why we are committed to a work/life integration that goes above and beyond to ensure that you have quality time at home with your family and/or to pursue outside interests and aspirations. We back this up with generous PTO, the opportunity to work remotely, flexible scheduling, and a management team that understands how to adjust when the unexpected curveballs of life happen.

Check out the comprehensive benefits PSCU has to offer that further solidifies our reputation as a company that just “gets it” when it comes to balancing life’s planned and unplanned events while equipping you with all the tools for growth.

PSCU offers:

  • Beautiful, state-of-the-art campuses
  • Endless opportunities for advancement
  • Competitive wages
  • Generous paid time off and paid holidays

Our benefits package includes:

  • Medical
  • Dental and Vision
  • Basic and Optional Life Insurance
  • Company Paid Disability Insurance
  • 401k (with employer match)
  • Health Savings Accounts (HSA)
  • Flexible Spending Accounts (FSA)
  • Supplemental Insurance
  • Legal Plan
  • Pet Insurance
  • Adoption Assistance Plan
  • Employee Assistance Program (EAP)
  • Tuition Reimbursement
  • Wellness program
  • Benefits are subject to generally applicable eligibility, waiting period, contribution, and other requirements and conditions.

APPLY HERE