Penguin Random House wouldn't perhaps be the first company that comes to mind when you think of a career in IT but here's a number of reasons why we think you should change your mind: we're the number 1 publishing firm in the USA, likely globally, fresh off the back of an incredibly strong performance last year; we're going through a lot of change, particularly in technology, and have embraced and thrived in an environment new to us; we consider ourselves to be the pioneers of publishing and are always looking for ways to operate more efficiently with creativity in mind; we feel like we're akin to a start-up environment, but within an established business that's excited to embrace new processes and technologies – you have all the fun and excitement within a company that's tried and tested!
Penguin Random House is looking to recruit an Application Security Engineer who will be a part of the IT Security organization. This position will focus on Secure SDLC and Application Security services and technologies to ensure a secure by design approach across Penguin Random House's applications. In addition, the individual will be expected to contribute to and help deliver services and projects in other areas of information security.
The individual will partner with developers and business owners from applicable technical teams to assess the security architecture of new products and capabilities via application security assessments, prioritize and advise on options to mitigate identified flaws and vulnerabilities, and work with development teams to define and evangelize security best practices.
The successful candidate will have experience in at least one of the following: securing work streams in AWS and Azure, SecDevOps and automation, secure coding practices, or application development experience with a desire to move into application security. You will establish multi-functional relationships with colleagues to become a trusted resource for development while also maintaining a hands-on role in implementing solutions and crafting specifications for those teams.
• Architecting our core infrastructure to reduce the attack surface of critical services and mitigate the impact of exploits
• Design and plan application security architectures that align to the company's business strategy and commitments, inclusive of privacy and compliance
• Script (Python, Perl, Ruby, etc.) and build automation tools on an ad-hoc basis
• Create and deliver presentations and documentation to educate developers and operations teams on application security best practices and secure coding techniques
• Discover threats, vulnerabilities, and exploits through architecture design review, threat modeling, code review, SAST and DAST assessments and work with developers/engineers to remediate issues
• Develop application security policies, standards, and guides that can be leveraged in the secure development of products and services
• Work with DevOps team to improve application security; integrate security tools into CI/CD pipeline including, but not limited to, container security, SAST, DAST, IAST, third-party vulnerability scanning, etc.
• Partner with security stakeholders across the organization to help delivery teams envision and deliver security initiatives
Required Knowledge and Skills:
• Experience with application security tools, including DAST, SAST, penetration testing, fuzzing, etc.
• Strong understanding of common software and web application security vulnerabilities, including OWASP Top 10 and SANS/CWE Top 25
• Security testing of web applications or mobile applications using OWASP ASVS/M-ASVS and testing guides
• DevOps experience building and deploying infrastructure with cloud deployment, including building and testing automation technologies like Docker, GitLab, Ansible, Jenkins, etc.
• Advanced understanding and experience with web architectures, web applications, APIs, mobile applications, desktop applications, unified communications (including VoIP and SMS), and the underlying technology of cloud infrastructure
• Experience securing DevOps, including continuous integration, configuration management, and continuous deployment
• Experience leading code reviews, threat modeling, and penetration testing
• Excellent communication, interpersonal, and organizational skills
Education and Experience Requirements:
• At least 5+ years' professional experience with both a detailed technical knowledge and hands-on practice working in secure software development, security engineering, DevOps, application penetration testing, and/or negative QA testing
• Industry recognized certification in security is a plus (e.g., CISSP, CISA, CISM, CRISC, CEH, etc.)
Candidate will be expected to be on a call rotation for after-hour support or escalation
Full-time employees are eligible for our comprehensive benefits program. Our range of benefits include, but are not limited to, Medical/Prescription drug insurance, Dental, Vision, Health Care/Dependent Care Flexible Spending Account, Health Savings Account, Pre-Tax and Roth 401(k), Short and Long-Term Disability Insurance, Life/AD&D Insurance, Commuter Benefits, Student Loan Repayment Program, Educational Assistance & generous paid time off.
Jobcode: Reference SBJ-gm15z6-34-239-160-86-42 in your application.