[Hiring] Application Security Engineer @SAS

Role Description

As an Application Security Engineer within the Information Security Office (ISO), you will be responsible for verifying that our internally-used applications are secure by design. You will collaborate with a diverse set of development and management teams across R&D, IT, and SAS Managed Cloud Services organizations to help drive the maturity of the application security program at SAS.

As an Application Security Engineer, you will:

• Provide Subject Matter Communication:
  • Coordinate with the Secure Design team to ensure new environments/applications align with expected compliance levels.
  • Provide guidance to development teams on security design, threat modeling, and resolution of security vulnerabilities.
  • Advise on potential compensating and mitigating controls to reduce risk.
  • Triage security findings received through a public bug bounty program, communicating with both the developers and independent security researchers.
• Perform Security Assessments & Assist in Remediation:
  • Perform application security assessments and web application security assessments on both internal and external web applications and web services.
  • Interpret and triage results from web application assessments.
  • Assess Azure and AWS cloud offerings to ensure usage aligns with security best practices.
  • Assess applications for potential migration from on-prem to cloud.
• Build Security Standards & Integrations for Engineers:
  • Help research and define security benchmarks, guidelines, and processes.
  • Embrace curiosity, passion, authenticity and accountability. These are our values and influence everything we do.

Qualifications

• US Citizen.
• 5+ years of experience in Information Technology.
• Bachelor's degree in computer science or related quantitative field.
• Experience with web-based architectures and applications.
• Familiarity with industry standards for application security.
• Familiarity with common application security testing techniques (DAST, SCA, SAST, IAST) and vulnerability management tooling.
• Equivalent combination of related education, training and experience may be considered in place of the above qualifications.

Requirements

• Continuous Improvement: Originating action to improve existing conditions and processes; identifying improvement opportunities, generating ideas, and implementing solutions.
• Decision Making: Identifying and understanding problems and opportunities by gathering, analyzing, and interpreting quantitative and qualitative information; choosing the best course of action by establishing clear decision criteria, generating and evaluating alternatives, and making timely decisions; taking action that is consistent with available facts and constraints and optimizes probable consequences.
• Influencing: Using effective involvement and persuasion strategies to gain acceptance of ideas and commitment to actions that support specific work outcomes.
• Familiarity with DevSecOps.
• Familiarity with API Security best practices.
• Experience with container and Kubernetes security.
• Experience with Azure or other commercial clouds.
• Familiarity with various programming languages to assist with peer review (Java, Python, Golang).
• Relevant security certifications such as CISSP, CSSLP, GPEN, GWAPT, OSCP.
• Familiarity with industry standard authentication and authorization (OAuth, Okta, Microsoft Entra).

Benefits

• Comprehensive medical, prescription, dental and vision plans.
• Medical plan options include:
  • PPO with low annual deductible and copays.
  • HDHP combined with a health savings account with a contribution from SAS (no access to on-site health care center).
• Onsite Health Care Center (HQ) that’s free to employees and family members enrolled in the PPO plan. There's a pharmacy too! Not local to HQ? The pharmacy will ship prescriptions for no additional charge!
• An industry-leading 401k plan.
• Tuition Assistance Program and programs and resources to support your development.
• Generous time away including vacation time, a variety of paid holidays, and our much-loved U.S. Winter Wellness Break between December 25 and January 1.
• Volunteer Time Off, parental leave and unlimited paid sick days.
• Generous childcare benefits for all full-time employees.