MIO’s IT team is seeking a Senior Application Security Engineer to help define and implement application security for MIO applications and infrastructure across the organization. The overall goal is to improve MIO applications’ security strength by adapting security-focused processes in various stages of SDLC. The successful candidate will be comfortable working directly with Development Managers, Software Architects, Application Developers, DevOps Engineers, and senior management teams to bolster application and infrastructure security posture.

The new hire will set coding standards from Security standpoint and perform application code reviews when required. Further, this individual will liaise closely with vendors on following MIO-defined security practices and data privacy policies. They will also be expected to work collaboratively with others in IT to realize the incorporation of security best practices end-to-end SDLC: from requirements gathering through white-boarding, infrastructure automation design, tool selection, application design, coding, test automation, delivery, support, and enhancements.

The Senior Application Security Engineer will own the metrics and reporting of the progress in ShiftLeft initiative that will enable injecting security practices early in the software development life cycle. This person will also be responsible for updating security policies and procedures and tracking adherence. The candidate should be a passionate technologist with a focus on operational excellence and customer orientation with ability to operate in a high velocity agile environment.

This is a full-time, permanent opportunity. The Senior Application Security Engineer will be expected to work on-site at our Midtown, New York office 2-3 days/week. COVID-19 vaccination is mandatory for this position (subject to accommodation for health and religious reasons).

The successful candidate will have strong experience with AppSecOps and DevSecOps technologies for SDLC, Infrastructure Automation, Cloud orchestration, and continuous delivery including experience with SAST, DAST and IAST.

This position requires a highly motivated individual who can work in a collaborative, fast-paced environment, learn and implement new technologies, and provide mid/senior-level expertise.
The Senior Application Security Engineer must lead by example and work collaboratively to:

• Work closely with others in IT to develop a secure SDLC with gating functions for application source code and IaC
• Define metrics and reporting on application security policies and processes and track adherence
• Proactively research and identify application security vulnerabilities and recommend counter measures
• Liaise with application development teams to design applications that are inherently secure
• Automate AppSecOps security testing processes including SAST, DAST, and IAST as appropriate
• Perform code deep dives to uncover security vulnerabilities or design flaws
• Provide subject-matter expertise in application code and IaC security best practices
• Support and consult with development teams in application security, including threat modeling and code reviews
• Advocate and champion ShiftLeft security initiatives and processes
• Contribute to raising the security awareness of team members through instruction and hands-on training
• Possess general awareness on industry data privacy standards across cloud providers and vendor product liabilities
• Actively participate in an Agile development environment; attend daily standups, sprint planning and retrospectives

Primary responsibilities estimated percentage allocation:

• 25% Technology Leadership: design, requirements gathering, brainstorming
• 75% Heads Down AppSecOps/DevSecOps development, implementation, administration, and support

• Bachelor’s degree in computer science or related field (or equivalent experience)
• At least 4 years of IT DevSecOps/AppSecOps experience
• Proficiency in one or more programming languages (Python, Java, C++, etc.)
• Understanding of CWE 25 and OWASP Top 10 with experience in implementing remediation strategies
• Experience in application security and threat modeling
• Familiar with application security control frameworks and current usage in applications (e.g., Authentication, Cryptography and Data Protection, Authorization, Web Access Firewall, etc.)
• Excellent understanding of application security testing automation including SAST, DAST, and IAST
• Knowledge of web application technologies and layer 7 protocols such as HTTP, FTP, DHCP, etc.
• Knowledge of exploit development and vulnerability research and reporting
• Knowledge of mobile app code security testing
• Experience in AWS technologies a strong plus
• Exposure to Python, NGNIX, Gunicorn and ReactJS is a plus
• Experience working with code management tools such as Github
• Must have the ability to work in a dynamic, fast-paced environment
• Strong communication skills with ability to interact with stakeholders at various levels
• Strong problem solving and analytical skills

Certain US states require MIO Partners, Inc. to include a reasonable estimate of the salary range for this role. A reasonable estimate of the range for new joiners for this role in the United States is $150,000-$150,000. Actual salaries may vary and may be above or below the range based on various factors, including, but not limited to an individual’s assigned office location, experience, and expertise. Certain roles are also eligible for bonuses, subject to MIO’s discretion and based on factors such as individual and/or organizational performance. Additionally, MIO offers a comprehensive benefits package, including medical, dental and vision coverage, telemedicine services, life, accident and disability insurance, parental leave and family planning benefits, caregiving resources, a generous retirement program, financial guidance, and paid time off.