Purpose & Overall Relevance for the Organization:
The selection, design, justification, implementation and operation of controls and management strategies to maintain the security, confidentiality, integrity, availability, accountability and relevant compliance of information systems with legislation, regulation and relevant standards.
As a Senior Application Security Engineer at adidas you will provide application security expertise and best security practices to our Product teams and other departments, you will identify and help to remediate vulnerabilities, establish best practices for our security program, and promote good security practices throughout Product teams.
The ideal candidate loves both building and breaking software, including all of web security, API security, mobile security, cloud security and software security. You must help Product teams, Application Owners, developers, and other IT departments understand security concepts and best security practices.
Key Responsibilities:
Information security
•Provides advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards.
•Obtains and acts on vulnerability information and conducts security risk assessments, business impact analysis and accreditation on complex information systems.
•Investigates major breaches of security, and recommends appropriate control improvements.
•Contributes to development of information security policy, standards and guidelines.
Specialist advice
•Actively maintains recognisedexpert level knowledge in one or more identifiable specialisms.
•Provides definitive and expert advice in their specialist area(s).
•Oversees the provision of specialist advice by others, consolidates expertise from multiple sources, including third partyexperts, to provide coherent advice to further organisational objectives.
•Supports and promotes the development and sharing of specialist knowledge within the organisation.
Research
•Within given research goals, builds on and refines appropriate outline ideas for research, including evaluation, development, demonstration and implementation.
•Applies standard methods to collect and analyse quantitative and qualitative data.
•Creates research reports to communicate research methodology and findings and conclusions. Contributes sections of material of publication quality.
•Uses available resources to update knowledge of any relevant field and curates a personal collection of relevant material. Participates in research communities.
Emerging technology monitoring
•Supports monitoring of the external environment and assessment of emerging technologies to evaluate the potential impacts, threats and opportunities to the organization.
•Contributes to the creation of reports, technology road mappingand the sharing of knowledge and insights.
Security administration
•Maintains security administration processes and checks that all requests for support are dealt with according to agreed procedures.
•Provides guidance in defining access rights and privileges.
•Investigates security breaches in accordance with established procedures and recommends required actions and supports / follows up to ensure these are implemented.
Digital Forensic
•Contributes to digital forensic investigations. Processes and analyses evidence in line with policy, standards and guidelines and supports production of forensics findings and reports.
Penetration testing
•Maintains current knowledge of malware attacks, and other cyber security threats.
•Creates test cases using in-depth technical analysis of risks and typical vulnerabilities.
•Produces test scripts, materials and test packs to test new and existing software or services.
•Specifies requirements for environment, data, resources and tools.
•Interprets, executes and documents complex test scripts using agreed methods and standards.
•Records and analyses actions and results.
•Reviews test results and modifies tests if necessary.
•Provides reports on progress, anomalies, risks and issues associated with the overall project.
•Reports on system quality and collects metrics on test cases.
•Provides specialist advice to support others.
Relationship management
•Implements stakeholder engagement/communications plan.
•Deals with problems and issues, managing resolutions, corrective actions, lessons learned and the collection and dissemination of relevant information.
•Collects and uses feedback from customers and stakeholders to help measure effectiveness of stakeholdermanagement.
•Helps develop and enhance customer and stakeholder relationships.
- Identify, reproduce, and report security issues
- Conduct internal security reviews
- Collaborate with software engineers to make our software better
- Collaborate with Product Owners and Architects to identify and understand vulnerabilities related to its products
- Keeping abreast of new vulnerabilities and attack vectors, and associated countermeasures
- Participate in security issue management processes
- Penetration test reports analysis
- Red Team exercises technical support
- Bug bounty triage.
- Train developers on application security best practices.
Key Relationships:
•Global IT
•Respective business function(GOPS, Finance, HR, Brand Marketing, Wholesale/Retail)
•HR Management
•Controlling
Knowledge, Skills and Experience
- 5+ years of application security experience (pentesting, red teaming, source code auditing, threat modelling, product assessments, vulnerability research, application security consultancy).
- A “breaker” mentality, but effective at crafting the mitigating controls
- Provide hands-on remediation guidance to product teams
- Penetration testing and red teaming experience in corporate environments (Burp, cobalt strike, Mittre Att&ack framework)
- Understanding of OWASP security concepts and common application security risks, such as XSS, CSRF, SQL Injection, SSRF,SSTI, etc
- Strong experience on web/mobile/API application security.
- Knowledge of DevSecOps or secure SDLC lifecycle and security tasks or operations to be included as part of DevSecOps lifecycle;
- Strong communication skills and ability to influence engineering behaviours