Here at Skedulo we’re on a mission to support the 2.7 billion people in the worldand the companies that employ themwho do not work at a desk every day. Our global teams are collaborative, ambitious, innovative, and passionate about helping our customers realize their fullest potential by enabling their mobile workforces.
The Senior Security Engineer is responsible for implementing, configuring and maintaining information security tools, systems, and services. They will develop and execute security processes, policies, and procedures in collaboration with Engineering and Information Security groups. This role will champion DevSecOps /AppSec processes and practices and influence the Engineering teams across Skedulo to create secure by design services. The Engineer will also build automation to drive effective remediation of security issues, utilizing IaC (terraform) and ci/cd frameworks.
The Engineer works in conjunction with engineering and operations functions to identify and respond to security threats to the organization. They work on complex cross-functional projects that require an in-depth understanding of multiple security domains and threat modeling. They are responsible for proactive risk assessment and resolution alongside the engineering and operations teams.
This role reports to the Engineering Manager for our Infrastructure and Reliability squad and works in close collaboration with the Director of Information Security.
A key responsibility of this role is remediation of detected issues. This means working closely with other Engineering teams, but with primary responsibility for fixing security related issues sitting with this Engineer.
RESPONSIBILITIES
- Security architecture and implementation provide hands-on security posture and insights on modern cloud-based application architecture, containerisation, and security best practice. Lead and contribute to the planning, design, and implementation of strategic, cross functional cybersecurity controls.
- Proactive vulnerability resolution - work with engineering teams to determine whether an identified vulnerability is a problem or is mitigated by existing controls (and configure the vulnerability management tool to silence the alarms), and action paths to remediation (typically a pull request that solves the problem)
- Incident Management accountable for security incident response, which includes post incident reviews and remediation activities to prevent recurrence wherever possible. Provide expert advice and continuously improve incident management procedures.
- Support, Assist and Advise provide support to business units to ensure optimal use and application of cybersecurity processes and controls. Consultation with key stakeholders to ensure cybersecurity policies remain aligned with stakeholder requirements.
- Security Culture assist with mentoring and directing development team members to deliver quality solutions and support the growth and development of security culture across the team.
- Secure Development Lifecycle play a critical role in supporting a Secure Development Lifecycle by embedding innovative security solutions within an agile development pipeline and operational environment. Advise developers on best practices and standards.
Requirements
MINIMUM QUALIFICATIONS
- Proven experience in application security related fields
- Sound understanding of OWASP top 10 and CWE top 25 and how to mitigate them
- Hands on experience implementing DevSecOps practices, and Static and Dynamic Analysis tools
- Familiar with architecting secured modern cloud environments
- Familiar with integration platforms
- 3-5 years in information security role (e.g., SOC, Incident Response, Penetration Testing, Security Engineering)
- Formal education in Computer Science, Information Technology, Cybersecurity. Experience in lieu of formal education is acceptable.
- Thorough understanding of threat modeling and risk evaluation as it pertains to SaaS, and the ability to execute mitigation strategies.
DESIRED SKILLS/EXPERIENCE
- Background in AWS cloud infrastructure and would be able to look at an existing landscape and interpret it
- One or more Certifications (CISSP, GWEB, GPEN, GWAPT, OSWE, OSCE, OSCP)
- Knowledge of rules and regulations related to information security and data confidentiality (GDPR, HIPAA, FedRAMP, etc.)
- Software development or scripting experience
- Experience implementing Security improvements using automation products such as Terraform / Ansible / Cloudformation
- Familiar with Cloud Native infrastructure, as well as container orchestration knowledge (particularly Kubernetes)
ADDITIONAL REQUIREMENTS