Senior Security Engineer

Roles & Responsibilities

• Subject Matter Expertise - Act as SME and provide technical leadership to SCA domain mainly FOSS Security and License Reviews. Support SCA scan operations include scoping, scan pipeline creation (DevSecOps), scan scheduling & validation and post-scan activities like prioritization & reporting.
• Tools Engg (SCA) – Deploy and manage SCA Security Tools which may include configuration and deployment of SCA tools along with support in managing the Security and License review policy violations. Work with the product teams to manage the SBOM and its license matrix across every release.

• Shift Left Support – Work with product teams to enable SCA plugins on their local IDEs (Eclipse, InjelliJ, VSCode, etc). Assist CI/CD processes with the integration of SCA scans into automated builds.
• Security Posture - Work with Product Security leadership to mature the security team capabilities including reporting and remediation guidance in alignment with regulatory requirements.
• Vendor Management - Monitor and Communicate with the SCA vendor on false positive analysis, feature requests, version upgrades, rules customization, etc. Troubleshoot SCA Scan related issues and open support queries with the vendor as necessary.

Qualifications:

• 6-8 years of Application Security experience with a minimum of 3 years of experience in SCA tools like Snyk, Blackduck or Nexus Lifecycle Manager
• SCA tools experience must include Installation, Configuration, Administration and Performance Monitoring of tools along with alerting policy violations both from license as well as security viewpoint.
• Build and Maintain Integrations for DevSecOps utilizing SCA tool and SCM with planned cadence.
• Deep knowledge of CVE, CWE, CVSS, and common vulnerability classes.
• Develop processes and improvements around toolsets along with technical guides / documentation for toolset features and best practices
• Ability to interact with the product teams to explain the remediation and enforce security measures by participating in the design and implementation of product security practices.
• Experience in managing exceptions, risk register and make recommendations to Security Requirements
• Knowledge of managing end of life or obsolete component disposal would be a plus.
• BA/BS degree in computer science, engineering, or information security. Desirable - one or more security certifications: CEH, CISM, CISSP
• Must have excellent verbal, written and presentation skills. Ability to work in a fast paced and highly collaborative environment.