Senior Security Engineer

Roles & Responsibilities

• Subject Matter Expertise - Act as SME and provide technical leadership to SAST Security Testing. Assists with efforts on the execution of SAST scan operations that include scoping, scan pipeline creation (DevSecOps), scan scheduling & validation and post-scan activities like prioritization & reporting.
• Tools Engg (SAST) – Deploy and manage SAST toolsets and work on SAST projects which may include execution of the configuration and deployment of security tools and application of results for security analysis. Assist the Language specific SonarQube Rules committees as needed.

• Shift Left Support - Assist application teams in the Integration of SonarQube processes into their local IDEs (Eclipse, InjelliJ, VSCode, etc) as well as execution of sonar tests locally. Assist CI/CD processes with the integration of SonarQube scans into automated builds. Assist application teams in understanding Technical Debt and how to reduce it.
• Security Posture - Work with Product Security leadership to mature the security team capabilities including reporting and remediation guidance in alignment with regulatory requirements. Identifies security gaps and deficiencies and recommend corrective action for identified weaknesses in addition to providing advice on necessary risk acceptance for identified security risks.
• S-SDLC Support - Assists with the execution of highly technical security assessments of SAST results for multiple languages including Java, JS, GO, Scala, C/C++, etc. Identify potential misuse scenarios and advise on secure development practices.
• Vendor Management - Monitor and Communicate with the Sonar community on version upgrades, rules customization, new feature inclusion, etc. Troubleshoot SonarQube Scan related issues and open Issues with the vendor as necessary.

Job Requirements

• 8-10 years' Product Security experience with a minimum of 5 years of experience in Sonarqube. Other SAST tools like Coverity or Fortify experience is a plus
• SAST tools Experience must include Installation, Enhancement, Configuration and Administration, Performance Monitoring of tools along with Installation of new Plugins.
• Build and Maintain Integrations of all the projects org-wide comprising of various coding languages – DevSecOps pipeline using SAST tool, SCM and development pipeline
• Develop processes and improvements around toolsets along with technical guides / documentation for toolset features and best practices
• Develop and Document Sonar Archival process (Backup & Restore) along with certificate management process
• Understands the principles of secure coding techniques and secure code reviews, code coverage, network protocols and connectivity.
• Ability to interact with the product teams to explain the remediation and enforce security measures by participating in the design and implementation of product security practices.
• Ability to communicate with product teams about the upgrades, outages, releases etc.
• BA/BS degree in computer science, engineering, or information security. Desirable - one or more security certifications: CEH, CISM, CISSP
• Must have excellent verbal, written and presentation skills. Ability to work in a fast paced and highly collaborative environment.