Connecting to LinkedIn...

Application Security Lead

Job Title: Application Security Lead
Contract Type: Permanent
Location: Reading, Berkshire
Salary: Negotiable
Start Date: ASAP
REF: APPSECLEAD301122_1669803715
Contact Name: Rory Glass
Contact Email:
Job Published: 2 months ago

Job Description

Application Security Lead

Your duties and responsibilities:

  • Provide guidance on application security architecture, DevSecOps best practices & solutions to help business units to build & deliver solutions that meet our security requirements
  • Develop threat models and maturity assessments that can be used to integrate our security requirements into projects & operations
  • Create an application security observability framework to enable greater GSOC visibility by identifying best practices for logging within common application architectures
  • Define and conduct application security threat and risk assessments with methodology for all deployed solutions with ability to integrate into development pipelines
  • Conduct Secure SDLC (Software Development Life Cycle) workshops and working groups to facilitate a consistent set of security baselines for application security
  • Advocate for AppSec and DevSecOps from research conducted into modern threats and new technologies such containerisation and serverless computing
  • Liaise with security architects and other business units to communicate our security practices and processes
  • Support identification, training, and partnership with champions for security across the company to build a security first culture
  • Support security champions by helping them assess risk, learn to identify architectural gaps, and similar activities
  • Support development of training related to application security, security architecture, threat modelling, and secure coding

Knowledge and experience

  • Experience with the full secure software or systems development life cycle, including requirements analysis, design, integration, testing, and implementation
  • In-depth knowledge of application security methodologies along governance processes and practices, including ISMS monitoring and control frameworks such as, ISO, ISF and COBIT, their relationships to other frameworks
  • Knowledge of Application Security, DevSecOps, integrating security into CI/CD
  • Hands on experience with application security testing tools and findings remediation
  • Experience collaborating with developers to explain testing vulnerabilities so they can be resolved
  • Experience with industry security standards and regulations (ISO 27001/02, NIST 800 series, GDPR, etc.)
  • Knowledge of security and risk management techniques as well as emerging threats and vulnerabilities
  • Knowledge of OWASP, Static and Dynamic Analysis, vulnerability management
  • Experience in software design, or knowledge of modern DevOps processes
  • Experience with application security in the Cloud - Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform
  • Ability to develop threat models and participate in security walk-throughs
  • Be able to lead multiple technology groups to ensure that the application, integration and security architectures are designed to meet evolving business requirements, standards for reliability, scalability and availability and align with the organization's technology and security roadmaps
  • Strong leadership and facilitation skills with an ability to build relationships with stakeholders
  • Excellent oral, written and interpersonal communication skills; proven ability and interest to conduct research, develop technical products in both written format and with presentations to subject matter experts and leadership
  • Highly self-motivated, self-directed and attentive to detail
  • A University Degree in engineering, computer science or similar technical related area, with a minimum of 6-8 years' experience in AppSec role
  • Relevant security certification(s), preferably in AppSec, including but not limited to CISSP, CCSLP, GIAC, OCSP, GPEN, etc. will be good to have

You will

  • be a key member of our architecture forum, ensuring new components are designed with security best practices
  • own initiatives aimed at implementing and automating security controls, reducing risk, establishing a security-first culture, adopting a secure code development practice, contributing to our compliance & regulatory posture, and providing technical leadership for security
  • keep track of product vulnerabilities in the backlog and control vulnerability mitigation SLAs
  • drive application security best practice across the engineering teams
  • work closely with Software Engineers and SRE's to make sure our products are secure throughout the development lifecycle
  • lead or respond to security investigations as necessary, which may include an on-call follow the sun model
  • conduct Product Security training and workshops
  • engage with customers and partners and communicate their feedback to relevant parts of the organization
  • transform security from siloed practices to everyone's responsibility by integrating security activities into development routines and processes

You have

  • Outstanding interpersonal skills, and ability to build strong relationships across a dynamic, growing team
  • A good understanding of business needs and objectives
  • Ability to drive change and take initiative in a self-sufficient way
  • Ability to educate and explain complex concepts with simple words
  • You have knowledge and proven experience within Information security, Application security (OWASP), Cloud security, and secure continuous delivery
  • A deep technical background in large-scale multi-tenant & container based cloud environments
  • Understanding of Agile development and systems thinking
  • Comfortable with large codebases that are using multiple languages and infrastructure as code
  • Experienced in defining a strategy to follow and adopting that strategy across large multi-role teams
  • Can provide pragmatic technical leadership for a group of fast moving engineers
  • You are comfortable delving into code when needed, review pull requests and stay close to the team's work

Project People is acting as an Employment Agency in relation to this vacancy.