Application Security Architect

Description

POSITION SUMMARY:

The Architect, Application Security (CS) 

• assess the security and compliance of web applications, code, and related components in our proprietary Health Cloud products (including those of third-party vendors) throughout the software development lifecycle (SDLC) to ensure they are designed and built securely;
• will work as part of the Cyber team and collaborate closely with key stakeholders to define and document security requirements, plans, architecture, and FISMA paperwork required for the applications Authority to Operate (ATO).

DUTIES AND RESPONSIBILITIES: 

Essential Duties

• Partner with system, infrastructure, application, and cyber security teams to determine/create integration strategies/patterns that allow secure access across programs and applications.
• Define and document security requirements for new application, identify the appropriate configurations.
• Identify and document application threats, vulnerabilities, and risks, and advise development teams how to protect against them.
• Ensure the security of the system lifecycle through code reviews and testing.
• Work with key stakeholders to ensure authentication controls are understood from a security perspective, and work with the development team to plan, develop and implement the solution.
• Work with the development team to resolve findings from security scans, reviews, or penetration tests.
• Help incident response teams respond to detected intrusions.
• Conduct periodic assessments.
• Develop the application’s security architecture in collaboration with the development team.
• Assess the security posture associated with networking, security technologies, hardware and software development, test, and evaluation.
• Support vulnerability assessment, penetration testing, and supply chain risk management activities.
• Perform code reviews and conduct testing to ensure security is built in as planned.
• Work with the development team to ensure the remediation of identified vulnerabilities and Plan of Action and Milestones (POA&Ms) are analyzed, understood, and resolved based on priority levels defined.

Other Duties:

• Align and periodically communicate metrics with senior leadership around the effectiveness of the application security program.
• Leverage your accumulated subject matter expertise of DSS’ applications, systems, and code to propose and drive architectural improvements which address classes of security flaws in the FedRAMP ecosystem and other projects such as SOC2 and HITRUST.
• Deliver training and provide mentoring to software developers on security topics.
• Facilitate threat modeling exercises to ensure optimized security design decisions are being made.
• Participate in requirements definition and perform initial risk analysis to define a minimum standard of security for each application.
• Ensure changes do not create or introduce security gaps.

SECURITY AND PRIVACY DUTIES AND RESPONSIBILITIES

• Individuals working for DSS will be subject to security and privacy requirements as explained in HIPAA, FedRAMP, and NIST 800-53. Additionally, they are required to undergo specific FedRAMP training to ensure compliance with all associated controls and responsibilities in the day-to-day performance of their duties. Individuals working in departments that are considered to be in the high-risk category will be required to undergo advanced training based on their role and level of access. Individuals with access to modify data and the configuration baseline will require further training.

The preceding functions are examples of the work performed by employees assigned to this job classification.  Management reserves the right to add, modify, change or rescind work assignments and make a reasonable accommodation as needed.

Qualifications

QUALIFICATIONS:

Skills:

Required:

• Experience as a senior/staff/lead security engineer in product and application security.
• Experience leading security projects and initiatives that require collaboration with teams across an organization.
• Sound understanding of application security vulnerabilities (e.g., OWASP Top 10), defense techniques and security best practices, including language-specific security practices and present-day threats.
• Experience with modern application development languages and frameworks (e.g., .NET, Node.js, Java, Python, React, Angular

Desired:

• Experience with assessing/securing large, complex SaaS applications.
• FedRAMP and or SOC 2 knowledge.
• Two + years of experience as a people manager.
• Use of agile methodologies for project management.
• Manual web application penetration testing experience, including the use of professional penetration testing tools.
• Strong familiarity with AWS, Docker, Kubernetes, Linux, and similar infrastructure/technologies.
• Prior full time software development experience.
• Safeguarding applications by identifying associated threats, vulnerabilities, and risks, and implementing ongoing security testing and code review.
• Securely configuring application components (within the application).

Education:

Required:

• Bachelor’s degree or equivalent experience.

Certification(s), Licenses:

Required:

• One or more relevant security certifications (CSSLP, CISSP, CISM, CEPT, CMWAPT, CPT, CEH, LPT, GWAPT, GPEN, GXPN, OSCP).

Desired:

• CASE, CASS, GWEB

Years of experience in a similar role:

Required:

• 7+ years of relevant experience

Desired:

• 10+ years of relevant experience

PHYSICAL DEMANDS:

All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.

If you need an accommodation seeking employment with DSS, Inc., please email jobs@dssinc.com or call (561) 284-7373. Accommodations are made on a case-by-case basis.