Project Description
We are a team of Application Security enthusiasts who have been helping create secure applications for a huge telecom provider in Europe for over 15 years.
We know how to break apps and how to make them unbreakable.
Responsibilities
Development of security requirements at early stages of the product life cycle.
- Preparation of test scenarios for an audit that are based on business requirements, technical documentation for a project and a list of affected systems.
- Identification of defects and vulnerabilities in new and existing software products using the following methods:
- Static code analysis (mainly Java and J2EE applications, iOS and Android mobile apps) using HPE-MicroFocus Fortify SCA;
- Dynamic code analysis and scanning for vulnerabilities using Burp Suite and OWASP ZAP;
- Manual penetration tests on software products deployed on a test environment.
- Development of recommendations for software developers for addressing the security flaws identified.
- Optimization and automation of the audit process.
- Configuration (creation of new rules) of SAST and DAST tools.
Skills
Must have
- Understanding of architecture and working principles of modern web applications.
- English level: Intermediate.
- Higher education in IT.
- Strong knowledge of basic concepts of information security.
- Strong knowledge of defect types (CWE/SANS Top 25 Most Dangerous Software Errors), vulnerabilities and information security risks in web and mobile applications (OWASP Top 10), as well as ways of detecting and mitigating them.
- More than 2 years of working experience as Application Security Engineer or on a similar position (Penetration testing, etc.).
- Strong knowledge of programming languages (Java) and scripting languages (Python, powershell, bash).
Nice to have
- Relevant information security certifications: OSCP, CEH, OSWE.
- Knowledge of/experience with international information security standards and personal data protection standards: ISO 27XXX, PCI DSS, GDPR, etc.
- Knowledge of/experience with information security standards and frameworks: SAML, OAuth, WS-Security, X.509, SAML, JAAS, SSL/TLS, OpenSSO, OpenIAM, etc.
- Experience in CTF or bug bounty programs.
- Experience in web or mobile apps development.