Project description
We are a team of Application Security enthusiasts who have been helping create secure applications for a huge telecom provider in Europe for over 15 years.
We know how to break apps and how to make them unbreakable.
Responsibilities
- Development of security requirements at early stages of the product life cycle.
- Preparation of test scenarios for an audit that are based on business requirements, technical documentation for a project and a list of affected systems.
- Identification of defects and vulnerabilities in new and existing software products using the following methods:
- Static code analysis (mainly Java and J2EE applications, iOS and Android mobile apps) using HPE-MicroFocus Fortify SCA;
- Dynamic code analysis and scanning for vulnerabilities using Burp Suite and OWASP ZAP;
- Manual penetration tests on software products deployed on a test environment.
- Development of recommendations for software developers for addressing the security flaws identified.
- Optimization and automation of the audit process.
- Configuration (creation of new rules) of SAST and DAST tools.
SKILLS
Must have
- Understanding of architecture and working principles of modern web applications.
- English level: Upper- Intermediate.
- Higher education in IT or math
- Strong knowledge of basic concepts of information security.
- Strong knowledge of defect types (CWE/SANS Top 25 Most Dangerous Software Errors), vulnerabilities and information security risks in web and mobile applications (OWASP Top 10), as well as ways of detecting and mitigating them.
- More than 2 years of working experience as Application Security Engineer or on a similar position (Penetration testing, etc.).
- Strong knowledge of programming languages (Java) and scripting languages (Python, powershell, bash).
Nice to have
• Relevant information security certifications: OSCP, CEH, OSWE.
• Knowledge of/experience with international information security standards and personal data protection standards: ISO 27XXX, PCI DSS, GDPR, etc.
• Knowledge of/experience with information security standards and frameworks: SAML, OAuth, WS-Security, X.509, SAML, JAAS, SSL/TLS, OpenSSO, OpenIAM, etc.
• Experience in CTF or bug bounty programs.
• Experience in web or mobile apps development.