Application Security Engineer
San Francisco, CA
New Context is a rapidly growing consulting company in the heart of downtown San Francisco. We specialize in Lean Security: an approach that leads organizations to build better, safer software through hands-on technical and management consulting. We are a group of engineers who live and breathe Agile Infrastructure, Systems Automation, Cloud Orchestration, and Information & Application Security.
As a New Context Application Security Engineer you will be a member of our LS/IQ product development team. One third of your time will be working with customers directly in an advisory role and two thirds will be as a software engineer to further develop the LS/IQ product. Information security experience and credentials are a requirement.
Our team members are expected to be able to work with customers as a trusted adviser for all aspects of security, but especially in translating customer security assessment requirements to plain language that can guide their teams through meeting those requirements. We're looking for security generalists with application security expertise, as well as development skills - people who can think in security, communicate that thinking to our clients in plain English, and who are also comfortable in an active Agile software development role. You will utilize our core methodologies - DevOps, Agile, Lean, TDD and Pair Programming - along with your expertise in application security - to advise and assist our customers' engineering, security, DevOps and development leadership and teams. Expect to be involved in application security and vulnerability management using Open Source technologies as well as all aspects of security architecture, directives, and standards for application security.
You will work with our clients and other New Context team members while working from your home or New Context office, and occasionally client sites. We foster a tight-knit, highly-supportive environment where you will receive respect and be included. Even if you may not know the answer to a question immediately, you'll have the entire company supporting you via Slack, Zoom, or in-person. We also host a daily, all-company stand-up via Zoom, and a weekly company Retro, so you won't just be a name on an email.
At New Context, our core values are Humility, Integrity, Quality & Passion! Our employees live these values every single day.
Who You Are
- A seasoned technologist with 5+ years work experience--including as a technical lead--in cybersecurity, secure app development, or application security roles;
- CISSP Certified
- Experienced in meeting cyber security framework controls such as: SOC2, PCI, HIPAA, NIST, CSA, ISO;
- Experienced in application development using tools such as: node.js, Vue JS, PGSQL, MongoDB, Ruby on Rails;
- Experienced in deploying and maintaining SaaS products in AWS, GCP or Azure;
- Experienced in Open Source web technologies, especially in the areas of highly-available, secure systems;
- Experienced with cloud-native (AWS, Google Cloud, Azure) application implementations and the relevant security risks and mitigations.
- Have worked in a team to create production-quality applications in an Agile environment;
- Possess working knowledge of Unix-based operating systems and networking concepts;
- Comfortable with authentication and authorization functionalities and systems - identity federation (SAML, Oauth, OpenId), directory services (LDAP, AD), authenticating proxies;
- Happy and effective as a consultant; experienced with external clients and customers and able to communicate productively with customers to explain technical aspects and project status;
- A great teammate; able to think creatively on your feet and learn quickly on-the-job in order to meet the expectations of our clients;
Bonus points if you are:
- CEH, CASE, GWEB, GWAPT, GSSP (or equivalent) certified.
- Familiar with network security fundamentals, social engineering, and/or forensic analysis;
- A believer in automated tests and their role in software engineering;
- Familiar with Infrastructure as Code (IaC) and automated server provisioning technologies;
- A member of national and/or local security groups.
Technology we use: We tailor solutions to our customers. You might work on projects using any of the following technologies (or other similar technologies):
- Security: Burp Suite, ZAP Proxy, SAST/DAST Scanning Tools, Threat Modeling, Kali Linux, Standards & Compliance, Compliance standards, Application Security, Layer 7 Firewalls, OSSEC, Hashicorp Vault, STIX, TAXII;
- Automation: Chef, Puppet, Docker, Ansible, Salt, Terraform, Automated Testing
- Containerization Ecosystem: Docker, Mesosphere, Rancher, CoreOS, Kubernetes
- Cloud & Virtualization: AWS, Google Compute Engine, OpenStack, Cloudstack, kvm, libvirt
- Tools: Jenkins, Atlassian Suite, Pivotal Tracker, Vagrant, Git, Packer Monitoring: SysDig, DataDog, AppDynamics, New Relic, Sentry, Nagios, Prometheus
- Databases/Datastores: Cassandra, Hadoop, Redis, Postgres, MySQL
We are committed to equal-employment principles, and we recognize the value of committed employees who feel they are being treated in an equitable and professional manner. We are passionate about finding ways to attract, develop and retain the talent and unique viewpoints needed to meet business objectives, and to recruit and employ highly qualified individuals representing the diverse communities in which we live, because we believe that this diversity results in conversations which stimulate new and innovative ideas.
Employment policies and decisions on employment and promotion are based on merit, qualifications, performance, and business needs. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.