Senior Application Security Engineer (Remote)

AbbVie is a company dedicated to discovering and delivering innovative medicines and solutions for serious health issues. They are seeking a Senior Application Security Engineer to enhance their application security processes, integrate security tooling into CI/CD pipelines, and support development teams in identifying and mitigating vulnerabilities.

Responsibilities:

• Implementing and maintaining Application Security Testing (AST) tools (SAST, DAST, IAST, SCA, etc.) to identify code and dependency vulnerabilities during the software development lifecycle
• Implementing and maintaining Application Security Posture Management (ASPM) tools to centralize and deduplicate findings from multiple solutions and integrate into software development processes
• Acting as the first line of support for users by helping resolve false positives, providing guidance on finding remediation, and evaluating security exception requests
• Integrating security tooling with Continuous Integration/Continuous Deployment (CICD) pipelines
• Developing detailed reports on security findings and remediation efforts
• Demonstrate high proficiency across a wide range of technologies and platforms related to application security, software design and development, containerization, and cloud environments
• Communicate security risks and evangelize secure development practices to development teams and their management
• Lean/understand vulnerabilities, triage security risks at scale in disparate application development environments and business units

Requirements:

• Bachelor's Degree and 7 years' experience OR Master's Degree and 6 years' experience OR PhD and 2 years' experience
• 5+ years of experience in application security and software development
• 3+ years of experience implementing, administering, and supporting application security tooling such as SAST/DAST/IAST/SCA
• Extensive knowledge of secure coding practices across multiple programming languages (esp. Java, Node.js)
• Extensive experience integrating security testing into CICD pipelines
• Strong knowledge of application security principles along with common vulnerabilities (e.g., OWASP Top 10, CWE, etc.) and associated mitigations
• Experience implementing and scaling DevSecOps practices and tooling within large organizations
• Experience implementing DevSecOps workflows in cloud environments such as AWS and Azure
• Experience developing Infrastructure As Code (IAC) via solutions such as Terraform and/or CloudFormation
• Experience supporting developers with assessing and mitigating application security test findings
• Ability to effectively communicate technical findings to both technical and non-technical stakeholders
• Demonstrated ability to function as a principal engineer, generating original technical ideas and strategies. Demonstrated creative 'out of the box' thinking to solve difficult technical problems and champion new technologies to achieve program goals
• Excellent written and oral English communication skills, as demonstrated by presenting at leading scientific or technical conferences
• Experience coaching and supporting the development of junior engineers
• Experience implementing tooling to consolidate application security test findings from multiple sources to facilitate developer engagement and integrate with development workflows and tracking systems
• Experience administering Snyk and Endor Labs
• Experience integrating Cloud Security Posture Management (CSPM) tooling with application security pipelines
• Experience automating workflows via programming and scripting languages such as Python
• Experience building logging into DevSecOps pipelines to gain insights into pipeline performance
• Experience collaborating with vulnerability and risk management partners to interface with risk management and acceptance processes