Application Security Engineer

Company Description

ATPCO is the foundation of flight shopping, providing pricing and retailing data, tools, and services to 500+ airlines, global distribution systems, sales channels, and technology companies. ATPCO links the entire airline community together, collaborating to develop industry standards for airline distribution and end-to-end technology solutions. From shopping to settlement, ATPCO solutions work seamlessly across existing, new, and evolving technologies and methods. Airline-owned and reliably supporting air travel for more than 55 years, ATPCO is everywhere people buy flights.

Employees are eligible for our benefits package including employer matched 401(k), group health insurance and wellness programs, paid time off, tuition reimbursement, standby flight program and employee collaborated work and life standards.

We consider qualified applicants for employment without regard to race, gender, age, color, religion, national origin, citizenship status, marital status, disability, sexual orientation, protected military/veteran status, gender identity or expression, genetic information, marital status, medical condition, or any other legally protected factor.

Job Description

The InfoSec team is responsible for finding and solving the biggest security risks facing our applications and infrastructure. As an engineering team ourselves, we do this by building paved roads and guardrails. We believe that the secure option should also be the easiest option for our users. We’re looking for a strong Engineer with a deep understanding of securing applications in a Cloud-native world to help us execute this vision.

You will:

• Develop automated security testing for centralized security libraries which scale directly with developer needs and enable them to write secure code more easily.
• Have significant ownership in and evangelize security training with development teams.
• Drive initiatives which scale application security and holistically address application vulnerabilities.
• Be able to review code in context and defend findings.
• Support and consult with product and development teams in application security, including threat modeling and AppSec reviews.
• Assist teams in reproducing, triaging, and remediating application security vulnerabilities.
• Assist in development of security processes and automated tooling that prevent classes of security issues.
• With a focus on AWS, build the application specific security components of the next phase of ATPCOs Cloud infrastructure, shaping secure application development for years to come.
• Build automation to help us discover, measure, and contextualize application security issues.
• Partner with platform teams to deliver solutions that permanently solve entire categories of security risk.
• Participate in varied penetration testing and vulnerability assessments of applications, operating systems and/or networks.

Requirements:

• Able to work collaboratively with and advocate for software development teams.
• Experience with product management tools and practices, can interface directly with product teams to assign work/influence backlog for security needs.
• Experience identifying security issues through code review.
• Excellent and professional communication skills (written and verbal) with an ability to articulate complex topics in a clear and concise manner.
• Familiarity with some common security libraries and tools (e.g. static analysis tools, proxying / penetration testing tools).
• Knowledge of Secure SDLC and Security standards like OWASP, CWE, NIST, OSSTMM 5 Penetration Testing Methodology
• Familiarity and ability to explain common security flaws and ways to address them (e.g. OWASP Top 10).
• Development or scripting experience and skills. JSON, Python, YAML, CloudFormation, Terraform, PowerShell, etc. are preferred.
• A strong understanding of network and web related protocols (such as TCP/IP, UDP, HTTP, HTTPS, protocols)
• Has strong analytical, technical, and organizational skills to include strong attention to detail.
• Prior application security experience in a distributed, multi-Cloud hybrid environment with a focus on AWS.
• Knowledge of application penetration testing, threat modeling, and security architecture reviews
• Experience integrating security into the development pipeline, with hands-on experience with Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), Runtime Application Self-Protection (RASP), and software composition analysis solutions.
• Experience with configuration of cloud and platform technologies (AWS, Kubernetes, Dockers, Linux, Windows)
• Establishes, maintains, and reports upon metrics regarding overall application security posture.
• Excellent technical documentation skills.

Additional Information