• Contract
  • London
  • £500 - £515 per day USD / Year

Currently a media client of mine is looking to speak with Applcation Security Engineers for an outside IR35 Contract for a minimum of 6 months.

This role does require 2 days a week on site in London.

? Actively participate in defining and gathering requirements for the Application Security programme, support with creating designs where required.
? Working with the AppSec team, discover, develop and update our inventory of production applications and services so vulnerability remediation can be prioritised, and assist with classifying them accordingly.
? Work with the Cyber Security team, Platform team and Engineering teams to implement automated security tooling within the agreed CI/CD pipelines. e.g. SCA, SAST, IaC, Container Scanning etc.
? Work as a lead to shift the organisation from a DevOps model to a DevSecOps model.
? Support the Development and Platform teams with embedding new ways of working when shifting to a DevSecOps model.
? Automate security testing and vulnerability management procedures wherever possible, to reduce manual effort,ensuring assessment and remediation advice is readily and always available to the development and engineering teams.
? Work with our Platform Engineering team to ensure the process for deploying containers is secure and container vulnerabilities are remediated prior to deployment.
? Drive security improvements within the products and applications Condé Nast develops.
? Provide expertise in the areas of security and privacy throughout the development lifecycle.
? Assist in the creation of reports that include KRIs for the S-SDLC
? Working with the AppSec Lead, provide the overall design and implementation of a gated process for DevSecOps delivery, ensuring alignment with Cyber Security requirements.
? Work alongside relevant teams to help remediate vulnerabilities within pipelines and support the remediation of issues within pipelines as they arise.
? Support with code reviews/analysis – Condé Nast uses various languages; JavaScript, Python, Go, etc, so development language experience is essential.
? Identify any existing gaps within the deployment and architecture and recommend changes or enhancements.
? Support with coordinating technical security scanning, testing, application security testing and similar monitoring and validation techniques, where required.
? Define an approach and solution for ensuring applications which exist within our digital/customer environments are being assessed for vulnerabilities.

  • Working with the AppSec team, create standards and processes related to application security to support the organisation.

Required Skills:
To be successful, the candidate will need to have and demonstrate many of the following knowledge, skills and experiences, along with a proactive focused attitude;

  • Have experience working on, delivering, supporting Application Security projects:
    • Identifying, defining and implementing requirements for Application Security tooling. Providing inputs to, and support for, evaluating RFI/RFPs and selecting vendors.

? Scoping, development and publication of comprehensive application security standards, policies, procedures and guidelines.
? Discovering, design and implementation of application security frameworks for ranking / tiering /application portfolios; including risk factors and classifications.
? Identifying, developing and implementing appropriate S-SDLC models and frameworks which incorporate tooling.
? Experience delivering and evaluating PoCs for application security tools.
? Arranging pen-testing via 3rd parties, including establishing schedules for tiered apps across estates.
? Understand impacts on business and developers day-to-day workloads for the remediation of vulnerabilities under an agreed standard.
? Experience with SAST, SCA, IaC and Container scanning security tools including the development and reporting of KPI’s & continual service improvement processes.
? Implementing monitoring / alerting solutions across product estates, performing and closing GAP analysis and transitioning across to SOC / Operational teams.

  • Familiarity with vulnerability management frameworks and concepts such as CVE, and CVSS
  • Experience with DevSecOps concepts and tools, having the ability to advise on best practice and implement these.
  • Expertise in AWS and understanding of GCP and Azure Cloud
  • Good knowledge on container technologies (Kubernetes, Docker, AWS EKS) and securing the environments they run within, including embedding tools to secure the deployment of containers within the pipeline.
  • Fluency with scripting and automation languages such as Go, Python, Ruby, Bash, etc.
  • Experience of working with GitHub Actions, Jenkins and ECR
  • Experience of configuration management tools such as Terraform and Ansible
  • Experience of having implemented IaC, SCA, Static and Dynamic Code Analysis tools within pipelines.

? Knowledge of application security flaws and web application best practices (e.g.
OWASP Top 10, CWE SANS Top 25)
? Minimum of 5 years experience having led a team in implementing tools and automating processes as part of a DevSecOps model.

  • Experience of having supported an organisation in shifting from a DevOps model, to a DevSecOps model, with a focus on securing the development pipeline.

? Minimum 4 years experience of Application Security and Software Development
? Understanding of security and compliance frameworks such as NIST, ISO27001, CIS, PCI-DSS
? Ability to explain application vulnerabilities to different audiences – technical and business.
? Knowledge of monitoring and verifying the implementation of IT security baselines within the IT organisation.

  • Experience of managing vulnerabilities in cloud and containers is essential.

? Good communication and presentation skills

  • Good written language skills

Educational Qualifications:

  • Any of the following certifications would be advantageous: ? BS Computer Science or similar qualification
    • AWS Certified Solutions Architect – Associate (SAA)

? Application Security certifications (CASE, CEH, CSSLP or similar)

Upload your CV/resume or any other relevant file. Max. file size: 50 MB.