Application Security Engineer

You will be a key member of the R&D Digital Translation team established under the Singapore Maritime Institute. The R&D Digital Translation team develops and operates digital and cyber products and translates R&D projects to real world implementations for the maritime industry.

You will provide application security consultancy and support to the application teams in areas such as security assessments, DevSecOps, security training and awareness to raise the application security level of competency and standards of our people and organisation.

Key Responsibilities

1. Plan the application security roadmap to improve the way application security is practiced in the organisation.

2. Develop secure application development practices, standards, guidelines, and solutions to raise the application security practices of our application teams.

3. Maintain various application security processes and automated source code scanning platform in the organisation.

4. Perform secure code quality reviews and conduct application penetration testing/vulnerability assessment.

5. Support various types of application testing and delivery (e.g. CI/CD) within the organisation.

6. Train and up-skill developers in the area of secure coding in various programming platforms such as Java, C#, PHP etc. and to write security acceptance criteria in user stories.

7. Train the applications team to write security unit tests and perform secure coding assessments

8. Work with DevOps team to improve security in the CI/CD pipeline

Requirements:

1. At least 3-5 years combined work experience in software development, application security and cloud computing (e.g. Azure, AWS)

2. Background in Computer Science or related field required

3. Experience in conducting manual secure source code review in at least one of the following programming platforms in both waterfall and Agile approach: Java, PHP, Javascript, C#, Android, iOS 4. Experience in threat modelling and able to establish threat profiles for application projects to identify, quantify and remediate application security risks.

5. Experience working with mobile and web application programming interfaces (API) architecture (e.g. REST, SOAP, SSL/TLS)

6. Demonstrate knowledge in industry security best practices such as OWASP Top 10, OWASP application security verification standard

7. Experience on using SAST code scanning tools such as Checkmarx, Sonarqube, etc.

8. Familiar with Agile Development process, CI/CD, DevOps concepts, tools (Git, Gitlab, Github, Jenkins, Anslbe etc) and how automated security testing can be incorporated into CI/CI pipelines

9. Collaborate extensively with various teams (application, networking, infrastructure) to maintain, establish and deliver application security services for the organisation

10. Good verbal/written communications skills and experience interacting with various stakeholders 11. Strong interest and passion for the field of application security.

12. Strong problem-solving and troubleshooting skills.

13. Self-reliant with an analytical and creative mind.

Additional

1. Experience working with industry APIs such as Apigee or equivalent.

2. Certification in CISSP (Certified Information Systems Security Professional)

3. DevOps related certifications e.g. Azure DevOps Engineer Expert or AWS DevOps Engineer

4. Offensive Security Certified Professional (OSCP), Offensive Security Web Expert (OWSE)

5. Experience in working with Government Commercial Cloud (GCC)