The Application/Security (DevSec) Specialist will act as an Information Security Risk Management (ISRM) team representative and will work with the application development teams including but not limited to eCommerce, Web applications and IOT development groups. The DevSec Specialist will provide guidance on developing and managing security development requirements for transactional web-based applications, mobile applications and associated customer facing technologies. The role will also work with developers in defining and implementing security requirements into application development projects of moderate to high complexity. The role will also develop and provide reporting, analysis, assessment and risk details, and recommendations at the functional or business level. Responsibilities include development and implementation of security requirements, implementation standardization and oversight of Company's Secure System Development Lifecycle (SSDLC) Policy and coordination of aligned requirements into application development projects. The DevSec Specialist carries out security specific SSDLC activities and acts as a security subject matter expert for all application security needs within the development organizations. The candidate will be part of the ISRM management team.
location: REMOTE, Pennsylvania
job type: Permanent
salary: $120,000 - 150,000 per year
work hours: 8am to 5pm
- Development and implementation of Secure SDLC policy, procedures, and requirements, in collaboration with development teams to help implement and enforce secure development processes and supporting tools and capabilities
- Scope of technology includes but is not limited to multi-tiered transactional web applications, IOT cloud platforms, device development and protocols (MQTT), mobile applications Android, IOS and other development related technologies
- Ensure security development requirements are integrated in all new and enhancement projects and provide guidance on remediating and mitigating identified risks and gaps
- Design security development requirements and manage the implementation of secure development standards and requirements
- Develop and manage security training curriculum as well as advanced training requirements for the development teams
- Develop on-going technology risk reporting, monitoring and metrics to regularly measure control effectiveness for development projects and processes
- Interpret and evaluate secure code reviews using open source and commercial tools to drive management of remediation
- Perform application penetration assessments or proof of concept testing
- Maintain and enhance application security incident response processes and program
- Adhere to internal policies and procedures, technology control standards, and applicable regulatory guidelines
- Contribute to the review of internal processes and activities and assist in identifying potential opportunities for improvement
- Performs other duties as required
- Bachelor's degree in Computer Science or a related field, or an equivalent combination of training and experience
- 10+ years of experience in an information systems environment, with strong knowledge of application development and coding practices
- Advanced knowledge of organization, technology controls, security, and risk issues
- Full understanding of the SSDLC process and how all activities in the process should operate
- Training or experience in application security architecture and threat modeling
- Full understanding OWASP Application Security Verification Standard
- Training or experience of writing secure code, in particular, using Java and PHP
- Training or experience with the mobile and web security models
- Training or experience in application security testing including application penetration testing which includes both performing testing as well as interpreting results and helping developers to plan mitigations
- Working knowledge of frameworks standards and regulations, including SOX, PCI, ISO 27001/27002, NIST 800-171, NIST CSF, GDPR, HIPAA, etc.
- Ability to Multi-task and extreme efficiency in time management and prioritization
- A professional IT Security certification (e.g. CISSP, CISM, CISA, OSCP) (preferred, not required)
- Working knowledge of IT/IS frameworks, standards, regulatory guidelines and rules as noted above.
- Strong organization, communication and analytical skills.
- Ability to draft and deliver management presentations.
- Knowledge and understanding of SOX and the working practices of both internal & external auditors and auditing processes.
- Working knowledge of US and EU Data Protection requirements.
- Strong understanding of networking and information security fundamentals. Knowledge and understanding of automated change management systems, processes, procedures, and documentation.
- Ability to gather data, compiles information, and prepares reports. This includes strong MS Office skills (especially Word, Excel and Visio).
- Ability to make administrative/procedural decisions and judgments.
- Knowledge of current technological developments/trends in area of expertise.
- Strong knowledge of certification reviews, accreditation activities, risk analyses, application and system software (including security software and hardware), related capabilities, and performance characteristics
- Experience level: Experienced
- Minimum 10 years of experience
- Education: Bachelors
Equal Opportunity Employer: Race, Color, Religion, Sex, Sexual Orientation, Gender Identity, National Origin, Age, Genetic Information, Disability, Protected Veteran Status, or any other legally protected group status.
For certain assignments, Covid-19 vaccination and/or testing may be required by Randstad's client or applicable federal mandate, subject to approved medical or religious accommodations. Carefully review the job posting for details on vaccine/testing requirements or ask your Randstad representative for more information.