Application Security Engineer at Trade Ledger

Engineering, Sydney, New South Wales, Australia sydney engineering
Posted 9 days ago

The Role

This opportunity will see you responsible for making sure that security is embedded in each phase of our Software Development LifeCycle (Secure SDLC) and promoting a DevSecOps culture through TradeLedger.

As a member of the DevSecOps team, you will be working closely with the QA Team, the Cloud Security and Infrastructure Teams, the Risk & Compliance function, the Developers, and the outsourced security functions to analyse and implement mitigations to security findings.

Your tasks

  • “Shift left” - Preventing security bugs from being deployed to Production. Assessing potential threats during the software design phase and determining mitigations aimed at reducing the threats in the early stages of the development lifecycle.
  • Designing and implementing an agile and structured threat modelling approach to defend our applications from attacks.
  • Setting up testing and monitoring to and detect data breaches.
  • Advise developers and champion initiatives on the best code security practices and standards.
  • Hands-on experience of implementing and running Static Application Security Testing (SAST), Dynamic AppSec testing (DAST), and Software Composition Analysis (SCA).
  • Detailed understanding of attacks, threats, vulnerabilities, risks, and countermeasures frameworks (e.g. STRIDE, DREAD, PASTA, D3FEND, ATT&CK, OWASP, CIS benchmarks).
  • Design, implement, and improve authentication and authorization mechanisms.
  • Performing periodic security assessments and assisting with ad-hoc security investigations.
  • Writing technical documentation.
  • Assist in the writing and updates to our security policy documentation

About you:

  • Proven experience in application security related fields
  • Familiarity with containers and container-orchestration frameworks (like Kubernetes or EKS) including recommended security and hardening procedures.
  • Familiarity with RDBMS and No-SQL database systems
  • Understanding of web security to include certificates, HTTPS, security headers, web front-end hardening, OWASP Top 10, WAFs, etc.
  • Proficient in a scripting language (Bash, Python, Ruby, etc.) and the ability to use such languages to extract audit and forensic data from logs and other data sources.
  • Hands on experience with terminal, specially with AWS and Kubernetes command-line tools.
  • Excellent knowledge of networking technologies, particularly with OSI network layers and TCP/IP;
  • Strong communication and presentation skills.