Application Security Engineer

Company:

Sopra Steria is a listed European tech leader specializes in Consulting, Digital Service, and Software. We have 60,000 employees worldwide located in different regions (Europe, North America and Asia), whereby Singapore is the HQ for APAC. EvaGroup Asia Pacific is part of Sopra Steria I2S APAC, in charge of Infrastructure, Cloud and Cybersecurity services.

Descriptions:

In this role, you will join a team of six members from Sopra Steria to support one of our government projects. The scope of work includes:

1. Security Risk Assessment
2. Security Policies, Standards, Guidelines, And Procedures Review
3. Security Design
4. Application Security
5. Vulnerability assessment and
6. System Security Acceptance Testing

You will be an expert in the field of Application Security.

Responsibilities:

• You shall conduct Application Security (AppSec) assessment that align with Government security policies or industry best practises.

1. Reviewing and ensuring governance of AppSec requirements is carried out.
2. Guide application project teams to perform AppSec assessments using a combination of threat modelling, code scanning, vulnerability research, application security testing and recommend treatment/mitigation measures and action to be taken.
3. Developing and reviewing CI/CD pipeline for applications to support DevSecOps methodology for secure and efficient software release.
4. Review and recommend security testing tools, such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Vulnerability Assessment and Penetration Testing (VAPT) .
5. Apply secure coding techniques to review and assess vulnerabilities on systems developed using popular web/mobile programming languages, such as HTML, JavaScript, Node.js, Angular, ASP.NET, C#, Java, PHP, Python and Ruby.

• You shall deliver minimally the following deliverables as part of the AppSec assessment. The documentation shall include the following information:

1. Description of the scope, goals, objectives of the AppSec review;
2. Description of the threat model, code review and recommendations;
3. Description of the CI/CD pipeline architecture, scripts for building, deploying, and testing, and the security and logging features;
4. Recommendation for security testing tools; and
5. Description of the vulnerabilities found, their severity, and recommendations for remediation.

• You shall conduct security risk assessment for Applications, including Mobile Application, and Web Application.
• Assess mobile applications based on compliance with Mobile Application standards (e.g., Mobile Application Security Verification Standards (MASVS) version 1.2 or later version) shall minimally include:

1. Architecture, design and threat modelling where the Mobile Applications are deployed for use;
2. Data exposure;
3. Cryptography (e.g., the Mobile Application uses cryptographic protocols or algorithms that are widely considered deprecated forsecurity purposes);
4. Authentication and session management (e.g., the user credentials are to be confirmed not using biometric/token-based, and session timeouts).
5. Platform Interaction processes (e.g., uses Platform API and standard components in a secure way);
6. Code Quality and Build Settings, (e.g., where checks need to be done for debugging, exception handling, memory corruption or any free security features are activated or deployed); and
7. Resiliency against reverse engineering.

• The scope for Web Application shall minimally include:

1. Underlying infrastructure (e.g., where the Web Application is hosted on);
2. Software libraries (e.g., software libraries used);
3. Frameworks used in the development of Web Application (e.g., Application Programming Interface (API));
4. Injection (e.g., SQL injection flaws where untrusted data is sent as part of a command of query);
5. Authentication (e.g., broken authentication where the Web Application functions related to authentication are implemented incorrectly, allowing compromise to passwords keys or exploit other implementations);
6. Access control (e.g., restrictions on what authenticated users can do are not properly enforced);
7. Security configuration (e.g., misconfiguration which results in insecure configuration, stored in unprotected cloud storage);
8. Data exposure (e.g., APIs and applications do not properly protect sensitive data);
9. Logging and monitoring (e.g., insufficient logging and monitoring coupled with ineffective incident response may allow pivot to other tamper, extraction, or data breaches);
10. Deserialization (e.g., insecure deserialization leads to remote code execution and can lead to replay attacks); and
11. Cross-site scripting (XSS) (e.g., XSS flaws allows hijack sessions and can redirect users to malicious sites).
12. Management of secret keys (e.g., to access REST-API services)

Requirements:

• At least 3 years of experience in software development, application security and cloud computing (eg: AWS)
• Experience working with mobile and web application programming interfaces (API) architecture
• Demonstrate knowledge in industry security best practices such as OWASP Top 10, OWASP application security verification standard
• Familiar with Agile Development process, CI/CD, DevOps concepts, tools (Git, Gitlab, Github, Jenkins, Anslbe etc)
• Good verbal/written communications skills and experience interacting with various stakeholders
• Strong interest and passion for the field of application security
• Strong problem-solving and troubleshooting skills
• Self-reliant with an analytical and creative mind

Benefits:

• Regular team buildings
• 18 leave days / year
• Health, Dental and Optical Insurance
• Annual bonus
• Working hours: from 8:30am to 6pm, Monday to Friday
• Trainings and certifications bonus