Digitribe - Application / Security Engineer

The Application Security Engineer/Architect is responsible to ensure that the software developed and deployed within the company is secure, in order to prevent security breaches through the application landscape of the client. This responsibility includes the security of the entire software development life cycle (SDLC)
Security of application code (including libraries)
Security of the cloud infrastructure to run the applications on all environments
Incident response to application (infrastructure) related security incidents
This may involve identifying and addressing vulnerabilities in the code, implementing security policies, controls and best practices, security training, testing the security of applications, etc.

RESULT AREA AND KEY ACTIVITIES

1) Security awareness &
knowledge:
make sure the software engineers and other professionals related to software development are aware of the security risks and have the knowledge to create secure software.

Activities:
Organise security training sessions for the product delivery organisation
Be a security advocate for the company through in-house trainings, brown bag sessions, ...
Help developers following the secure coding guidelines through hands-on guidance
2) Make sure security policies and controls are in place to prevent unsecure software from being developed or deployed to our environments.

Activities:
Implement automatic security controls at build time such as
Static &
Dynamic security testing
SBOM (Software Bill of Materials) vulnerability scanning &
management
Container image hardening
Quality gates in the CI pipeline
Implement automatic security controls at runtime such as
Making sure artifacts are deployed using the principle of least privilege
Cloud native best practices are followed
Kubernetes best practices are in place
...
3) Security testing:
Testing the security of applications through activities such as penetration testing, vulnerability scanning, and code review.

Activities:
Conducting penetration tests to identify and report on vulnerabilities on IT
Conducting code reviews to identify and fix insecure coding practices that could lead to vulnerabilities.
Analyse application related security findings from an internal or external Penetration Tests or a Bug Bounty Program:
accept/reject the change, decide on next actions
4) Make sure detected security findings are solved with the correct priority.
Conduct triage of reported security vulnerabilities
Talk to the teams involved in the security finding and make sure they understand what the impact is of the detected vulnerability, and what needs to be done to solve the problem
Guide the teams in fixing the vulnerability and if needed be able to give hands-on support.
5) Application security incident response:
be available as expert within the application security domain, to assist when security incidents occur.

Activities:
Be able to create post-mortems based on the incident and define action points to improve security and resilience
Conduct forensic exercises by analysing the logs of the clients' applications &
infrastructure to determine the impact of a security breach

Cyber Security Knowledge

Stay well-informed about the evolutions and developments related to software and (cloud) infrastructure security, keep his/her knowledge up-to-date within the context of the evolutions in order to strengthen his/her credibility by offering a service that is continuously based on updated knowledge.

Activities:
Attend information session, seminars, etc... about existing and new technologies, both internally and externally
Keep up-to-date regarding emerging security and information protection trends technological evolutions with direct impact on the daily activity of the team.
Maintains knowledge of leading edge and state-of-the-art technologies and concepts and introduces them to the specific security related solution used by the team
Continuously learns new skills with related to security and data protection technologies, and helps to integrate them into the global security vision and strategy of the client