Application Security Engineer
Who We Are:
Bandwidth lives for innovation! Our technology powers brands like Google, Microsoft, GoDaddy, Arlo, Netgear, Zoom, Rover and more of the most exciting leaders in technology. Our intelligent voice, messaging, 9-1-1 access, and phone number services— all backed by Bandwidth’s own nationwide, all-IP voice network—allow us to power the way people communicate, connect, and do business.
At Bandwidth, your music matters when you are part of the BAND. We celebrate differences and encourage BANDmates to be their authentic selves. #jointheband
What We Are Looking For:
Are you excited about the position and its responsibilities, but not sure if you’re 100% qualified? Do you feel you can work to help us crush the mission? If you answered ‘yes’ to both of these questions, we encourage you to apply! You won’t want to miss the opportunity to be a part of the BAND.
The Application Security Engineer will assist in the protection of Bandwidth applications and web services. This person will be responsible for performing internal penetration testing, manual code reviews, threat hunting, security architecture reviews, validating vulnerabilities and effectiveness of security bug remediations. The Application Security Engineer will work closely with the development teams providing training, vulnerability prioritization and remediation guidance including detailed finding reports based on secure development best practices and secure software architecture designs. The will also actively monitoring metrics, administering and managing Interactive Application Security Tools (IAST) and Dynamic Application Security (DAST) tools including the integration of security tools into the development CI/CD pipelines and related tool security findings.
What You’ll Do:
- Provides guidance and expert advice to software development teams on secure code development and design.
- Performs static code analysis of application code (manual and automated) and dynamic scanning of applications.
- Manages and administers IAST (Interactive Application Security Tool) platforms and scanning agents.
- Review, validate, triage and provide prioritization across the development team of security findings for remediation.
- Execute internal and external penetration testing across Bandwidth products, platforms and services.
- Provide application security architecture reviews to development teams based on findings and lessons learned.
- Perform application security threat and impact assessments based on regulatory, certification and contractual
- Performs risk analysis on applications and architecture designs and assists the development team in mitigation
- Participates in the CSIRT team as related to code-level software vulnerabilities.
- Develop custom code tools and applications to test, validate and/or exploit vulnerabilities and security bug
- Provide detailed technical documentation and written reports of vulnerability / exploit reports for the Infosec and
- Perform in-person training on best practices and secure coding standards, manage online secure development
training for the organization.
- Work with and support secure software development champions across the development and business.
What You Need:
- Bachelors Degree
- One or more of the following certifications (CISSP, GPEN, GWAPT, OSWE, OSCE, OSCP).
- Experience of 4 years in IT related roles.
- Knowledge of OWASP Guidelines, SSDLC Processes and Standards, MITRE att&k.
- Proficient in Windows and Linux OS.
- Penetration Testing tools (Kali Linux, Burp, SQLMap, etc).
- Experience in blackbox, greybox, and/or whitebox testing.
- Web and API penetration.
- Fluent in one or more programming and scripting languages.
- Experience with Kali Linux, CentOS, Debian, Redhat.
- Understanding of cryptography, encryption, digital signatures, hashing, hmac and how they are attacked.
- Understanding of Authentication, Authorization mechanism, TLS/SSL, OAuth, Saml, REST.
- Ability to explain security concepts to non-technical audiences.
- Good written and verbal communication skills and the ability to interact well with different levels within the organization.
- Ability to think both offensively (hacker) and defensively (security architecture).
The Whole Person Promise:
We make a “Whole Person” promise to our team. You can have both meaningful work PLUS a full life at Bandwidth. We focus on accomplishing our mission as “whole people.” That means we take care of our people—in body, mind, and spirit.
- Health: We pay 100% for benefits coverage including Medical, Dental, Vision, Prescription, Life, and Disability. Generous paid time off (PTO) policy including paid parental leave, EAP and 401K match.
- Fitness: 90-minute fitness lunch with a paid gym membership for workouts. On-site cardio gym, locker room/showers, classes, and sponsored sports and leagues. Nutritionist and personal trainer on-site.
- Volunteer: We have a program dedicated to providing volunteer opportunities to employees, BandwidthCares.