Principal Application Security Enginer
Fortinet (NASDAQ: FTNT) protects the most valuable assets of some of the largest enterprise, service provider and government organizations across the globe. The company's fast, secure and global cyber security solutions provide broad, high-performance protection against dynamic security threats while simplifying the IT infrastructure. They are strengthened by the industry's highest level of threat research, intelligence and analytics. Unlike pure-play network security providers, Fortinet can solve organizations' most important security challenges, whether in networked, application or mobile environments - be it virtualized/cloud or physical. More than 210,000 customers worldwide, including some of the largest and most complex organizations, trust Fortinet to protect their brands. Learn more at http://www.fortinet.com, the Fortinet Blog or FortiGuard Labs.
Reporting to the Director of Information Security and Compliance, the Principal Application Security Engineer is an integral part of the Fortinet’s security team, helping to ensure the Application stability and the security of Fortinet’s corporate and research environments. The Engineer will be foremost responsible for providing the highest level of security engineering support for applications, and to a lesser extent infrastructures, at Fortinet.
Note: This is a Security Analyst position. To put it in simplified terms: Security Engineers like to fix systems and Security Analysts try to break them. Analysts are more concerned with probing for risks and weaknesses (pen-testing, auditing, etc.); engineers are more intent on building robust security solutions.
We are looking for a highly motivated and qualified security professional with hands-on experience performing vulnerability assessments who possesses a thorough working knowledge of common commercial and/or open source vulnerability assessment tools and techniques used for evaluating operating systems, databases and web applications. (E.g. penetration testing methods related to web application mapping, reviewing client-side controls, testing user-input fields, and attacking session management, authentication, access controls, encryption, and backend databases/data stores). Candidates must have at least 5-7 years of current experience performing penetration tests, and have experience using both open source and commercial testing tools. Candidates should be familiar with manual testing techniques and be able to conduct penetration testing without data from vulnerability scanning engines.
The role primarily concentrates on some network penetration testing, but mostly on web application penetration testing based on OWASP testing guidelines. The role also acts as liaison and SME to in-house groups of development engineers in IT with scant understanding of SAST, DAST, RASP and IAST practices, and will coordinate with teams to raise the level of application security skills, process, review and reporting.
The candidate will provide technical information system security testing in support of the appropriate security risk management processes. Techniques used in the security assessment and technical testing efforts include in-depth network and application vulnerability testing (both automated and manual testing), demonstrable false positive validation. Automated testing will include tools such as: Whitehat Security, Cenzic Hailstorm, BurpSuite Professional, DBProtect, Core Impact, Nmap, Metasploit, and other such tools as found in the BackTrack and Samurai Web Testing Framework distributions, etc. The candidate will be required to develop documentation in support of testing efforts that may include: Test Plans, Preliminary Findings Reports, Security Assessment Reports, and other, similar test artifacts,
The candidate will be part of a team whose tasks include providing a secure environment, managing and mitigating risks; Providing reporting and metrics; Creating, reviewing, maintaining, and updating documentation including documenting & publishing fixes in a central knowledge base; Working with global colleagues to provide globally consistent processes and solutions; Investigate and troubleshoot root causes when escalated from operations; Escalating and liaising with additional internal/external groups when required.
The ideal candidate is a dedicated self-starter with interest in application security and IT infrastructure vulnerabilities and willingness to take on complex issues and resolve them in a timely manner. The candidate must have the aptitude to learn new concepts quickly with enough background knowledge in the operations field in order to understand new information technology security concepts and technology ramifications.
The role helps to maintain enterprise information security policies, technical standards, guidelines, procedures, and other elements necessary to support information security in compliance with established company policies, regulatory requirements, and generally accepted information security controls.
- Web application security assessments (XSS, CSRF, SQL-Injections, etc. via manual testing)
- Web vulnerability scans
- Asset identification, network discovery, and software inventory
- Identification of misconfigured software
- Assessments of patching program effectiveness
- Participation in incident response and remediation efforts
- Analysis of hacking, penetration and defense threats
- Maintenance of relevant exploit databases
- Infrastructure assessments and pen-testing and vuln. assessment
- Other duties as assigned
- BS degree in computer science, related discipline or equivalent experience
- Minimum of 5+ years of relevant experience, additional years a plus
- Thorough understanding of Networking Protocols (e.g., TCP/IP, UDP, IPSEC, HTTP, HTTPS, routing protocols, etc.)
- Hands-on experience using a major Enterprise Web Scanning Tool: e.g., HP WebInspect and/or IBM Appscan, Webinspect, Accunetix, NTO Spider etc.
- Familiarity with one major SAST tool or service (Veracode and/or HP Fortify)
- Familiar with vulnerability assessment, confirmation, and validation tools, processes, methodologies, and strategies, including static and dynamic analysis tools/techniques
- Complete Familiarity with the Open Web Application Security Project (OWASP)
- Some experience with Code reviews of Perl, Python, Ruby, Java, HTML, CSS, ASP, ASP.NET, Cold Fusion, Oracle, T-SQL, SQL and other languages and identification of code logic flaws
- Familiar with vulnerability reporting, tracking, management, and remediation processes, methodologies, and strategies
- Familiar with host and vulnerability discovery strategies, processes, and best practices
- Familiar and have had pen-tested experience against Windows, Linux, OSX, and mobile platform environments
- Familiar and have had pen-testing experience against common network topologies and implementations (e.g., Infrastructure, DMZs, Zones, Wireless, etc.)
- Familiar with Network scanning (e.g. Qualys, Nexpose, Saint, Rapid7 etc.)
- Excellent verbal and written communication skills
Strongly Desired Skills
- Prior programming experience
- Familiar with common security implementations and their associated gaps (e.g., Active Directory, OpenLDAP, Centralized DNS, PKI, SSL, SAML, OAuth, REST, SSO, OpenID 2.0/OpenID Connect etc.)
- Knowledge of threat modeling or other risk identification techniques
- Familiar with network penetration testing tools, processes, methodologies, and strategies
- Familiar with security exercise tools, processes, methodologies, and strategies
- Certified Ethical Hacker (CEH), Licensed Penetration Tester (LPT), CISSP, or related certifications a plus
Company Type: Public Company
Company Size: 1,001-5000