Application Security Engineer

What you will do:

• Perform static and dynamic code testing, threat modeling, design reviews, and penetration testing of company applications, review results and work with engineering to provide fixes.
• Support the implementation and enforcement of secure design and secure programming principles according to policies, standards, and guidelines.
• Develop and implement manual and automated web and mobile application security testing of the company’s applications.
• Work with security product vendors and service providers to evaluate security offerings, including product evaluations, proof of concepts, and pilot installations.
• Review POCs from bug bounty programs, provide recommended fixes and feedback to engineering and review bug fixes.
• Develop and implement security testing and quality controls in CI/CD process.
• Build re-usable security libraries and other components for Engineering teams to use in their development and QA work.
• Define privacy by design and privacy engineering practices, and work with development teams to implement.
• Drive effectiveness, adoption, and measurement of security software development practices.
• Assist QA in developing security test cases, and testing those cases.
• Work with software development teams to secure development environments.
• Write and maintain relevant documentation and audit reports.

Qualifications:

• Experience with C/C++ and/or Java.
• Experience with either JavaScript/NodeJS, PHP, or Python.
• Advanced Knowledge of CWE/SANS 25 common programming errors, and OWASP top 10, their attack vectors, and how to mitigate against these errors and vulnerabilities.
• Experience with web application architecture and design.
• Experience with layer 7 web defense (WAF, RASP, etc.).
• Experience with penetration testing tools (ZAP, Burp).
• Familiarity with Static and dynamic code scanning tools.
• Familiarity with Version Control Tools such as Git, Bitbucket, Svn, Mercurial, Perforce.
• Experience with mobile programming, either Android or iOS.
• Familiarity with CI/CD tools such as Jenkins, Docker, Puppet, Kubernetes.
• Experience identifying attack and service abuse artifacts in application logs.

Would be a plus:

• One or more relevant security certifications, such as OSCP, OSCE.
• CTF(capture the flag) / bugbounty / CVE.
• Strong knowledge of RedHat Linux.
• Strong knowledge of Microsoft Windows.
• Strong command line and scripting skills.
• Experience working with global teams.

• Well coordinated professional team.
• Cutting edge technologies, interesting and challenging tasks, dynamic project, great opportunities for self-realization, professional and career growth.
• Corporate training programs, English language courses.
• Medical insurance including dentist from the 1st working day, life insurance.
• Business trips to foreign branch offices (the USA, China) and further work H1-B U.S.
• Job placement and payment of salary take place according to the labor code.
• Sick leaves 100% paid.
• 28 day vacation 100% paid in accordance with the current salary.
• Office in 10-minute walk from the subway or remote work.
• Nonresident applicants are granted Relocation Bonus