Application Security Engineer
Fortinet, Inc.
1 month ago
Role details
Contract type
Permanent contract Employment type
Full-time (> 32 hours) Working hours
Regular working hours Languages
English Experience level
SeniorJob location
Tech stack
API
Artificial Intelligence
Applications Architecture
Software System Penetration Testing
Burp Suite
Cloud Computing
Cloud Computing Security
Code Review
Computer Security
Cross-Origin Resource Sharing (Ajax Programming)
Fiddler (Software)
Mobile Application Software
Network Security
OAuth
Open Web Application Security
Systems Development Life Cycle
Cloud Services
Web Application Security
Large Language Models
Software Security
Mitre Att&ck
Containerization
Information Technology
Fortinet
Devsecops
Static Application Security Testing
Microservices
Dynamic Application Security Testing
Job description
- Serve as an application security subject matter expert who provides guidance to internal teams
- Work closely with development teams, perform code reviews, penetration tests, and architectural reviews on existing codes and new features.
- Develop, implement, and communicate vulnerability mitigation strategies to development teams
- Handle externally reported vulnerabilities as a member of Corporate Information Security Responsible Disclosure Program committee.
- Drive Fortinet static and dynamic application security testing program.
- Develop strategies, evaluate solutions, design and implement tools, processes and controls to ensure that security and privacy are designed in Fortinet applications
- Advise development teams on SDLC best practices.
- Proactively research new attack vectors on applications that may affectFortinet applications and infrastructure.
- Be part of a global distributed team to share knowledge, workload and assignments. Strong sense of teamwork is required. Coach peers in application security concepts and best practices.
Requirements
- 5+ years of work experience as an Information Security Researcher or Engineer
- Strong understanding on OWASP TOP 10 vulnerabilities.
- Strong understanding of common API security risks
- Strong understanding on Cloud-Native application architecture, microservices, containerization technologies, secure deployment and implementation issues.
- Proven experience in application penetration testing
- Proven experience in security code review
- Proven experience in application security testing (DAST, SAST, IAST, SCA) tools and processes
- Strong foundation in computer and network security, authentication & authorization, security protocols and applied cryptography
- Solid understanding with web security standards such as CSP, SOP, CORS, and emerging web security technologies.
- Solid understanding on CI/CD pipelines, build systems and DevSecOps principles.
- Experience defining security architecture patterns and standards in a large enterprise organization.
- Experience with cloud-based security solutions and familiarity with cloud service providers, particularly in relation to application security
- Experience working with threat modeling methodologies such as MITRE ATT&CK, STRIDE, PASTA etc.
- Efficiency with web proxies such as Burp or OWASP ZAP or Fiddler
- Understanding of OAuth and JWT implementations.
- Ability to organize & communicate effectively, both written and verbal, with technical and non-technical people across functional teams
- A BS degree in Computer Science, Cyber Security, other tech-related degree, or equivalent experience.
- Experience in Cloud Security Posture Management (CSPM) and/or Application Security Posture Management (ASPM) tools is a plus.
- Having OSWE OSCP, GWEB, GPEN or similar certificate is a plus
- Experience in Mobile Application Penetration Testing is a plus
- Familiarity with AI&ML & LLM concepts, AI Red Teaming, AI Guardrails is a plus.
