Application Security Engineer
The Application Security Engineer to work closely with Discovery’s Information Security and Direct-to-Consumer (DTC) teams on initiatives to protect data, services, and technology assets and to design, deploy appropriate, risk-based application security safeguards and technical application security controls.
This is a key role within the Information Security organization that will be focused on application security for our streaming media service and other supporting applications. The Application Security Engineer will be a valued partner to development and engineering teams to ensure secure architectures, patterns, and solutions are created and maintained. This person will work closely with Discovery’s DTC application teams and will build a community of practice with developers within DTC to support effective communication and collaboration. This person will be the subject matter expert for secure code development and will work with various application engineering teams to develop alternatives for remediation of vulnerabilities.
1. Create and run secure code assessments with various application and services engineering teams
2. Run, maintain, and utilize security tools for the Appsec program, e.g., static and dynamic code analysis tools
3. Work with Red Teams and penetration testers to facilitate exercises and work with application developers and engineering teams on remediation
4. Assist with code reviews
5. Review and contribute to application designs and solutions
6. Participate in information security operations duties, including occasional incident response escalations
7. Perform risk and threat assessments
8. Evaluate and support application security technologies, processes and workflows on multiple platforms (e.g., Server/Client, Mobile, Tablet, etc.)
9. Develop and execute security assessment test plans
10. Collaborate with development teams to ensure secure coding best practices are followed
11. Review developers’ codes, provide feedback and perform security and risk assessment for consumer-facing applications, services, and future technology
12. Create/make pull requests to review and merge code in Git/GitHub or similar DVCS
13. Identify and define application security requirements and security baselines for the various classes of assets and environments in use at Discovery or its partners
14. Work collaboratively and proactively across the organization (e.g., Technical Architects/Leads, Product managers, Digital Media Program (AGILE) Teams, etc.) to support and remediate security vulnerabilities
15. Understand and recommend security controls for the rapid development of consumer-facing prototypes to identify technical options and inform architectural approaches
16. Identify and recommend best-of-breed security stack and controls for interactive consumer experiences across web and mobile devices. (i.e., project, customer, and vendor management skills)
* 4+years’ experience with application security
* Experience in application development with at least one modern programming language
* Knowledge of OWASP
* Knowledge of DevOps and Agile methods
* Hands on experience performing code reviews and with associated applications such as static and dynamic code analysis tools
* Knowledge of web application architectures
* Knowledge of threat modeling
* Broad knowledge of IT Security technologies, process, and techniques and a strong understanding of application security leading practices including OWASP and CWE.
Experience in code reviews, business logic assessment, and application security testing
* Experience w/public cloud environments (IaaS, PaaS, SaaS)
* Familiar with application security tools like BurpSuite Pro, SAST, DAST, nmap, Metasploit, and Kali Linux, etc.
* Experience in secure coding and software development in various languages (C#, .NET, Java etc.)
* Experience working with Agile development/Scrum teams, and enthusiastically incorporate security requirements into SDLC (CI/CD) with product owners/managers
* Excellent communication and presentation abilities with great attention to detail
* Must have the legal right to work in the United States
* Other security experience such as application security incident handling, secure architecture, information security operations, GRC, etc.
* Cloud technology, specifically AWS