Principal Application Security Enginer

Full Time
Sunnyvale, CA
Areas of Interest: Incident Response, Software Assurance and Security Engineering, Vulnerability Assessment and Management
report a problem

Fortinet (NASDAQ: FTNT) protects the most valuable assets of some of the largest enterprise, service provider and government organizations across the globe. The company's fast, secure and global cyber security solutions provide broad, high-performance protection against dynamic security threats while simplifying the IT infrastructure. They are strengthened by the industry's highest level of threat research, intelligence and analytics. Unlike pure-play network security providers, Fortinet can solve organizations' most important security challenges, whether in networked, application or mobile environments - be it virtualized/cloud or physical. More than 210,000 customers worldwide, including some of the largest and most complex organizations, trust Fortinet to protect their brands. Learn more at, the Fortinet Blog or FortiGuard Labs.

Reporting to the Director of Information Security and Compliance, the Principal Application Security Engineer is an integral part of the Fortinet’s security team, helping to ensure the Application stability and the security of Fortinet’s corporate and research environments. The Engineer will be foremost responsible for providing the highest level of security engineering support for applications, and to a lesser extent infrastructures, at Fortinet.


Note: This is a Security Analyst position. To put it in simplified terms: Security Engineers like to fix systems and Security Analysts try to break them. Analysts are more concerned with probing for risks and weaknesses (pen-testing, auditing, etc.); engineers are more intent on building robust security solutions.


We are looking for a highly motivated and qualified security professional with hands-on experience performing vulnerability assessments who possesses a thorough working knowledge of common commercial and/or open source vulnerability assessment tools and techniques used for evaluating operating systems, databases and web applications. (E.g. penetration testing methods related to web application mapping, reviewing client-side controls, testing user-input fields, and attacking session management, authentication, access controls, encryption, and backend databases/data stores). Candidates must have at least 5-7 years of current experience performing penetration tests, and have experience using both open source and commercial testing tools. Candidates should be familiar with manual testing techniques and be able to conduct penetration testing without data from vulnerability scanning engines.


The role primarily concentrates on some network penetration testing, but mostly on web application penetration testing based on OWASP testing guidelines. The role also acts as liaison and SME to in-house groups of development engineers in IT with scant understanding of SAST, DAST, RASP and IAST practices, and will coordinate with teams to raise the level of application security skills, process, review and reporting.


The candidate will provide technical information system security testing in support of the appropriate security risk management processes. Techniques used in the security assessment and technical testing efforts include in-depth network and application vulnerability testing (both automated and manual testing), demonstrable false positive validation. Automated testing will include tools such as: Whitehat Security, Cenzic Hailstorm, BurpSuite Professional, DBProtect, Core Impact, Nmap, Metasploit, and other such tools as found in the BackTrack and Samurai Web Testing Framework distributions, etc. The candidate will be required to develop documentation in support of testing efforts that may include: Test Plans, Preliminary Findings Reports, Security Assessment Reports, and other, similar test artifacts,


The candidate will be part of a team whose tasks include providing a secure environment, managing and mitigating risks; Providing reporting and metrics; Creating, reviewing, maintaining, and updating documentation including documenting & publishing fixes in a central knowledge base; Working with global colleagues to provide globally consistent processes and solutions; Investigate and troubleshoot root causes when escalated from operations; Escalating and liaising with additional internal/external groups when required.


The ideal candidate is a dedicated self-starter with interest in application security and IT infrastructure vulnerabilities and willingness to take on complex issues and resolve them in a timely manner. The candidate must have the aptitude to learn new concepts quickly with enough background knowledge in the operations field in order to understand new information technology security concepts and technology ramifications.

The role helps to maintain enterprise information security policies, technical standards, guidelines, procedures, and other elements necessary to support information security in compliance with established company policies, regulatory requirements, and generally accepted information security controls.



  • Web application security assessments (XSS, CSRF, SQL-Injections, etc. via manual testing)
  • Web vulnerability scans
  • Asset identification, network discovery, and software inventory
  • Identification of misconfigured software
  • Assessments of patching program effectiveness
  • Participation in incident response and remediation efforts
  • Analysis of hacking, penetration and defense threats
  • Maintenance of relevant exploit databases
  • Infrastructure assessments and pen-testing and vuln. assessment
  • Other duties as assigned

Required Skills/Qualifications:

  • BS degree in computer science, related discipline or equivalent experience
  • Minimum of 5+ years of relevant experience, additional years a plus
  • Thorough understanding of Networking Protocols (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols, etc.)
  • Hands-on experience using a major Enterprise Web Scanning Tool: e.g., HP WebInspect and/or IBM Appscan, Webinspect, Accunetix, NTO Spider etc.
  • Familiarity with one major SAST tool or service (Veracode and/or HP Fortify)
  • Familiar with vulnerability assessment, confirmation, and validation tools, processes, methodologies, and strategies, including static and dynamic analysis tools/techniques
  • Complete Familiarity with the Open Web Application Security Project (OWASP)
  • Some experience with Code reviews of Perl, Python, Ruby, Java, HTML, CSS, ASP, ASP.NET, Cold Fusion, Oracle, T-SQL, SQL and other languages and identification of code logic flaws
  • Familiar with vulnerability reporting, tracking, management, and remediation processes, methodologies, and strategies
  • Familiar with host and vulnerability discovery strategies, processes, and best practices
  • Familiar and have had pen-tested experience against Windows, Linux, OSX, and mobile platform environments
  • Familiar and have had pen-testing experience against common network topologies and implementations (e.g., Infrastructure, DMZs, Zones, Wireless, etc.)
  • Familiar with Network scanning (e.g. Qualys, Nexpose, Saint, Rapid7 etc.)
  • Excellent verbal and written communication skills

Strongly Desired Skills

  • Prior programming experience
  • Familiar with common security implementations and their associated gaps (e.g., Active Directory, OpenLDAP, Centralized DNS, PKI, SSL, SAML, OAuth, REST, SSO, OpenID 2.0/OpenID Connect etc.)
  • Experience with Cold Fusion, PHP, ASP.NET, VB 6, VB.NET, T-SQL, Postgres, PL/SQL/MySQL, HTML, jQuery, JavaScript and AJAX.
  • Knowledge of threat modeling or other risk identification techniques
  • Familiar with network penetration testing tools, processes, methodologies, and strategies
  • Familiar with security exercise tools, processes, methodologies, and strategies
  • Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), CISSP, or related certifications a plus

Share this job:


Grow your career Be on a winning team
Fortinet (NASDAQ: FTNT) is a worldwide provider of network security appliances and the market leader in unified threat management (UTM). Our products and subscription services provide broad, integrated and high-performance protection against dynamic security threats while simplifying the IT security infrastructure. Fortinet is headquartered in Sunnyvale, Calif., with offices around the world. If you're looking for a fast-paced, challenging and rewarding environment, then Fortinet is the place for you. We are an equal opportunity employer offering exciting work, competitive compensation and benefits. Fortinet is looking for the best and the brightest to join our highly motivated team.
Visit Fortinet's Social Media pages:
Company Industry: Computer & Network Security
Company Type: Public Company
Company Size: 1,001-5000