Senior Application Security Engineer

Country

Job Family

We show the world what people want.

Join GfK and help us shape tomorrow. As an NIQ company, we are the world's leading consumer intelligence firm, delivering the Full View™ on consumer behavior. We work to enable manufacturers and retailers better understand what consumers really want. Our name has inspired trust for over 89 years because we take pride in discovering new pathways to sustainable growth for our clients, our people, and our planet.

We are always looking for open-minded people who will grow with us, push boundaries, and pioneer disruptive methods in market research, data science, technology, and AI. If you share this passion to drive things forward and the integrity to insist on doing things the right way, we'll equip you to take your future into your own hands and play a leading role in our story.

Job Description

Key Responsibilities
• Embed security culture within the CSG engineering teams
• “Shift left” and automate security wherever possible
• Work with engineering squads (Developers, SREs & QAs) to ensure that projects are secure on delivery
• Provide KPIs/metrics to ensure testing coverage and vulnerabilities are remediated within agreed SLAs
• Integrate security tools into the SDLC
• Build/maintain/support security testing tools
• Manually validate findings from security scans to eliminate false positives
• Work in a fast-paced environment to identify and assist troubleshooting of vulnerabilities identified during application vulnerability scans
• Explain risk and criticality of identified vulnerabilities to business owners/technical teams and advise on remediation activities, including attending development/engineering stand-ups
• Work with business application owners/technical engineering teams on remediation plans and assist teams on what to fix and how to fix it
• Perform threat modelling on web applications, public cloud and containerized environments
• Run static analysis and perform code/third-party library reviews to identify security weaknesses
• Conduct risk assessments of web applications
• Support security incidents involving Cloud environments and web services
• Assist with management and tuning of the Web Application Firewall (WAF)
• Assist maintaining a CMDB of web applications and performing risk assessments of the applications
• Contribute to the application security framework
• Part of the Security Community of Practice (CoP)
• Take ownership of additional duties as required

Experiences/Skills/ Competencies required:
Skills:
• Be able to build good working relationships with both technical and business stakeholders, gaining their respect and trust based on your knowledge and professionalism
• Have the ability and desire to quickly learn new technologies
• Excellent communication skills and ability to work with global counterparts
• Ability to work in a fast-paced environment
• Promote DevSecOps, leading by example to change existing systems and practices for the better
• Good troubleshooting skills
• Forward looking approach to addressing existing & upcoming security challenges

Technical Skills:
• Full understanding of web stack, web security and common vulnerabilities (e.g. SQLi, XSS etc.)
• Development skills to facilitate code reviews or tool development
• A good understanding of securing public cloud technologies (AWS & GCP)
• Ability to work with APIs and plugins to integrate security tools into established CI/CD pipelines
• DevOps Automation using Jenkins, Puppet, Ansible, GitLab etc
• Experience with securing container technologies including Docker and Kubernetes
• Experience integrating DAST, SAST, IAST & SCA tools into the SDLC
• Hands-on experience of infrastructure as code and Hashicorp Vault
• Understanding of network devices like firewalls, routers, etc. and platforms such as Windows, Unix, etc
• Proficiency in Bash, Python, Perl, PowerShell or other scripting languages
• Ability to review and analyze vulnerability data to identify security risks to the organization's network, infrastructure, and application's and determine any reported vulnerabilities that are false positives.
• Capability to prepare security vulnerability and risk management reports for management.
• Leadership and Teaming skills to coordinate remediation of vulnerabilities within established timeframes.
• Strong knowledge of OWASP
• Ability to think like a hacker

Experience:
• Experience working with Developers, DevOps, and Engineering teams in a dynamic environment to promote/implement the DevSecOps program throughout the organization
• Minimum of 5 years’ experience of relevant IT experience, with at least 3 years devoted specifically to DevSecOps
• Educated in Cyber Security/Computer Studies/Engineering
• Public cloud security certificate from AWS/GCP preferred
• SANS training or GIAC/OSCP/OSWE desirable
• Experience working in an Agile/Sprint based delivery environment (using Jira/Confluence or other bug tracking tools) would be an advantage in this role
• Prior DevOps/Development/QA experience would be beneficial

Other Responsibility
Other responsibilities may be allocated by the line manager to ensure the effectiveness of the group. All employees within GfK are expected to promote the image of the company. This will be done in part, by adopting a professional appearance and maintaining an efficient and effective working environment. It is expected that employees adhere to any specific deadlines set in respect of Company issues relating to professional servicing (internal and external) and objectives. The detail and scope of this job description may be altered to take account of changing company needs.

We are an ethical and honest company that is wholly committed to its clients and employees. We are proud to be an inclusive workplace for all and are committed to equal employment opportunity, focusing on all of our employees reaching their full potential. 

We respect and value every employee regardless of race, ethnicity, gender, sex, sexual orientation, age, personality, experience, culture, faith, socio-economic status, or physical or mental disabilities.

We endorse the core principles and rights set forth in the United Nations Declaration of Human Rights and the Social Charter of Fundamental Rights of the European Union, promoting the universal values of human dignity, freedom, equality, and solidarity.

Learn more about how we are driving diversity and inclusion in everything we do on: https://www.gfk.com/about-gfk/diversity-and-inclusion

At GfK we work collaboratively with our colleagues but offer a flexible working approach, including dividing our time between office & remote working as well as the opportunity to flex our working hours around team core hours.

We offer an exciting work environment that brings people together. We encourage an entrepreneurial and innovative spirit and make use of the latest digital technologies. We are looking for self-starters, who accept challenges and create solutions.

Can there be a better place to take center stage in the digital revolution? We are excited to get to know you!