Senior Application Security Engineer

What you'll do:

• Security Assurance: Implement and maintain robust security practices across the software development lifecycle to ensure the security and quality of a wide range of services and products.
• Security Assessments: Conduct regular security assessments, including code inspections, design reviews, threat modeling, and penetration testing, particularly for mobile and web applications, on both new and existing products to identify potential vulnerabilities and security weaknesses.
• Secure Design & Development: Collaborate with engineering teams to enforce secure design principles and ensure compliance with security policies, standards, and guidelines for web and mobile applications.
• Consulting & Advisory: Provide security expertise and guidance to engineering and business teams, assisting in the implementation and enforcement of secure design principles and best practices aligned with industry standards.
• Security Tools & Research: Research, evaluate, and support the implementation of security tools and technologies that enhance the organization's security posture.
• Vulnerability Management: Work closely with software engineers to analyze identified security vulnerabilities, provide recommendations for remediation, and track issues through to resolution.
• Incident Response: Assist in the investigation and response to security incidents related to application security, ensuring timely and effective resolution of security threats.

What you need to succeed in this role:

• Experience: A minimum of 5 years of experience in application-level vulnerability testing, penetration testing, or building and implementing software security controls. Experience in performing mobile and web penetration tests, particularly in the financial industry under Bank of Thailand (BOT) regulations, is highly desirable.
• Technical Expertise: In-depth knowledge of software development, security engineering, computer and network security, cloud security, authentication mechanisms, security protocols, and applied cryptography.
• Vulnerability Identification: Proven experience in identifying and remediating common web and mobile application vulnerabilities, including those listed in OWASP Top 10 and Mobile Top 10.
• Tool Proficiency: Proficient in using various commercial and open-source penetration testing tools, with familiarity in static and dynamic analysis tools.
• Development Skills: Solid understanding of software development principles and experience with one or more programming languages (such as Java, C++, Ruby, Python, Perl, Go) and development frameworks (Spring Framework, Swift, Kotlin, React Native, ReactJS, VueJS) for secure code review.

It would be great if you have:

• Cloud & Infrastructure Knowledge: Understanding of modern IT infrastructure, including cloud environments (AWS preferred), Linux containers, and orchestration systems (Kubernetes).
• Cryptography & Architecture: Strong understanding of cryptography, web service frameworks, mobile application architectures, and service-oriented architectures.
• Certifications:
• Must-Have: At least one of the following certifications: OSCP, OSWP, OSCE, OSEE, or OSWE.
• Nice-to-Have: Additional certifications such as CISSP, CSSLP, CISM, CEH, GPEN, or equivalent.
• Problem-Solver: Strong analytical and problem-solving skills with a keen eye for detail.
• Team Player: Ability to work collaboratively in a fast-paced, dynamic environment.
• Communication: Excellent communication skills, capable of conveying complex security concepts to both technical and non-technical stakeholders.
• Continuous Learner: A passion for continuous learning and staying updated on the latest trends and advancements in application security.